Skip to main content

Suse

9348 CVEs vendor

Monthly

CVE-2026-13876 MEDIUM PATCH This Month

Content Security Policy bypass in Google Chrome prior to 150.0.7871.47 is achievable by an attacker holding a privileged network position who can manipulate traffic between the victim's browser and a server. The flaw originates in Chrome's Network component (CWE-693: Protection Mechanism Failure), where an inappropriate implementation allows CSP enforcement to be circumvented via crafted network traffic, yielding a High Integrity impact. No active exploitation is confirmed - the vulnerability is absent from CISA KEV and carries an EPSS score of 0.15% (4th percentile) - but the attack vector is unauthenticated and the integrity impact is significant for high-value targets on adversarial networks.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-13875 MEDIUM PATCH This Month

Memory disclosure in Google Chrome's GPU component on Windows enables a remote attacker - who has already established renderer process compromise - to extract sensitive data from process memory via a crafted HTML page. Affected versions are all Chrome for Windows releases prior to 150.0.7871.47. This is a second-stage exploit component: it does not independently achieve remote code execution but can be chained with a renderer exploit to leak process memory contents, potentially exposing credentials, tokens, or other in-memory sensitive data. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Information Disclosure Microsoft Google Suse
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-13874 MEDIUM PATCH This Month

Race condition in the DataTransfer API in Google Chrome prior to 150.0.7871.47 allows a remote attacker to read potentially sensitive data from renderer process memory by luring a user to a specially crafted HTML page. The CVSS vector (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N) confirms the impact is limited to confidentiality - no integrity or availability loss - and that reliable exploitation requires winning a timing race (AC:H) combined with user interaction. No public exploit identified at time of analysis; Google has shipped a patch in the stable channel update dated June 2026.

Information Disclosure Race Condition Google Suse
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-13873 MEDIUM PATCH This Month

Out-of-bounds read in Chrome's Layout engine prior to 150.0.7871.47 allows remote attackers to leak potentially sensitive data from the renderer process memory by serving a crafted HTML page. User interaction is required - the victim must visit the malicious page - limiting automated mass exploitation. No public exploit code has been identified at time of analysis, and CISA SSVC rates exploitation status as none with partial technical impact, placing real-world urgency below what the CVSS 6.5 score alone might suggest.

Memory Corruption Buffer Overflow Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-13872 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome for Android before 150.0.7871.47 lets a local attacker break out of the renderer/browser sandbox by feeding a malicious file into the WebAppInstalls component, which insufficiently validates untrusted input (CWE-20). Chromium rates the security severity as Medium, and no public exploit has been identified at time of analysis; EPSS estimates only a 0.13% (3rd percentile) chance of exploitation in the next 30 days. A vendor patch is available in Chrome 150.0.7871.47.

Information Disclosure Google Suse
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-13871 MEDIUM PATCH This Month

GuestView policy enforcement in Google Chrome prior to 150.0.7871.47 can be subverted by an attacker who has already achieved renderer process compromise, allowing site isolation to be bypassed via a crafted HTML page. The flaw (CWE-602: Client-Side Enforcement of Server-Side Security) enables manipulation of cross-origin content or policy in embedded browsing contexts that Chrome's site isolation architecture is designed to protect. No public exploit code has been identified and EPSS places exploitation probability at 0.22% (13th percentile), consistent with the elevated prerequisite of a prior renderer compromise required to trigger this vulnerability.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13870 HIGH PATCH This Week

Sandboxed remote code execution in the WebView component of Google Chrome for Android before 150.0.7871.47 lets a remote attacker run arbitrary code within the renderer sandbox when a victim loads a crafted HTML page. Rated CVSS 8.8 (network vector, no privileges, requires user interaction), the flaw is a CWE-416 use-after-free, but code execution is confined to the sandbox and would require a separate escape to reach the host. No public exploit identified at time of analysis, and EPSS is low at 0.26% (17th percentile), indicating limited near-term mass-exploitation pressure despite the high base score.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13869 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's Device component on Windows (versions prior to 150.0.7871.47) lets an attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page, exploiting a use-after-free (CWE-416). Google rates the Chromium security severity as Medium, reflecting that it is a second-stage bug requiring prior renderer compromise, though the NVD CVSS of 9.6 is inflated by the sandbox scope change. There is no public exploit identified at time of analysis and EPSS is low (0.21%), indicating no current sign of widespread exploitation.

Memory Corruption Google Microsoft Denial Of Service Use After Free +1
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13868 MEDIUM PATCH This Month

Site isolation bypass in Google Chrome on Android prior to 150.0.7871.47 enables a remote attacker - who has already achieved renderer process compromise via a separate exploit - to break cross-origin security boundaries using a crafted HTML page. The root cause is CWE-346 (Origin Validation Error) in Chrome's Android-specific network implementation, meaning the network layer fails to enforce origin checks when requests originate from a compromised renderer context. No active exploitation is confirmed (not in CISA KEV), and the EPSS score of 0.22% at the 13th percentile reflects the high chaining complexity required.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13867 MEDIUM PATCH This Month

UI spoofing via Chrome's Geolocation implementation (versions prior to 150.0.7871.47) allows a remote, unauthenticated attacker to deceive users about the origin or context of geolocation permission requests through a crafted HTML page. Exploitation requires user interaction with the malicious page, limiting automated attack potential. With EPSS at 0.21% (11th percentile), no CISA KEV listing, and no public exploit identified, real-world exploitation risk is low despite the broad deployment footprint of Chrome.

Information Disclosure Google Suse
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-13866 MEDIUM PATCH This Month

Site isolation bypass in Google Chrome for Android (prior to 150.0.7871.47) allows a remote attacker who has already achieved renderer process compromise to cross origin boundaries using a crafted HTML page, enabling high-integrity impact against other open sites. The root cause is CWE-20 (Improper Input Validation) within Chrome's Input subsystem on Android - an input handling implementation flaw that fails to enforce cross-origin separation once the renderer is under adversary control. No public exploit has been identified at time of analysis and EPSS sits at 0.22% (13th percentile), placing this firmly in the category of a meaningful escalation primitive rather than a standalone mass-exploitation risk.

Authentication Bypass Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13865 MEDIUM PATCH This Month

UI spoofing in Google Chrome Enterprise prior to version 150.0.7871.47 allows unauthenticated remote attackers to deceive users into believing they are interacting with legitimate browser UI by serving a crafted HTML page. The root cause is insufficient validation of untrusted HTML input within Chrome's Enterprise component (CWE-20), enabling an attacker to manipulate visual elements such as address bars, dialog prompts, or permission requests. No public exploit has been identified at time of analysis and EPSS sits at 0.21% (11th percentile), indicating low current exploitation probability despite a network-accessible attack vector.

Information Disclosure Google Suse
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-13864 HIGH PATCH This Week

Privilege escalation in Google Chrome desktop prior to 150.0.7871.47 stems from insufficient policy enforcement in the WebHID subsystem, letting a maliciously crafted extension escape its intended boundaries and gain elevated access to human-interface devices and browser privileges. Exploitation first requires convincing a victim to install the malicious extension, after which a crafted Chrome Extension bypasses WebHID access controls. Chromium rates the issue Medium; no public exploit is identified at time of analysis and EPSS exploitation probability is low (0.13%, 3rd percentile).

Authentication Bypass Privilege Escalation Google Suse
NVD VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-13863 HIGH PATCH This Week

Privilege escalation in Google Chrome for Android (CustomTabs) prior to 150.0.7871.47 allows a local attacker to escalate privileges by supplying a malicious file that CustomTabs fails to validate properly. Google rates the Chromium severity as Medium, and the requirement for user interaction plus local access limits remote mass exploitation. No public exploit has been identified at time of analysis and the EPSS score is very low (0.13%, 3rd percentile), so opportunistic exploitation appears unlikely.

Privilege Escalation Google Suse
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-13862 MEDIUM PATCH This Month

Insufficient policy enforcement in Web Authentication (Passkeys & Security Keys) in Google Chrome on iOS prior to 150.0.7871.47 allowed an attacker in a privileged network position to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Apple Google Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13861 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome before 150.0.7871.47 lets an attacker who has already compromised the renderer process break out of the browser sandbox and reach the host via a crafted HTML page, exploiting a use-after-free (CWE-416) in the Core component. Google-assigned Chromium severity is Medium, though the NVD CVSS is 9.6 due to the cross-boundary scope change. No public exploit identified at time of analysis, and EPSS is low (0.21%, 11th percentile), indicating it is not yet a mass-exploitation target.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13860 MEDIUM PATCH This Month

UI spoofing in Google Chrome's Autofill component on Windows (all versions prior to 150.0.7871.47) allows a remote unauthenticated attacker to mislead users into interacting with forged security UI elements by convincing them to perform specific on-page gestures against a crafted HTML page. Rooted in CWE-451 (UI Misrepresentation of Critical Information), the flaw enables an adversary to obscure or fabricate Autofill security indicators, potentially tricking users into submitting saved credentials or personal data to attacker-controlled destinations. No public exploit or CISA KEV listing has been confirmed; Google has released a fix in stable channel version 150.0.7871.47.

Information Disclosure Microsoft Google Suse
NVD
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-13859 CRITICAL PATCH Act Now

Inappropriate implementation in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13858 MEDIUM PATCH This Month

Out-of-bounds read in Chrome's bundled FFmpeg video decoding component (all versions prior to 150.0.7871.47) allows a remote attacker to leak renderer process memory contents via a crafted video file. The CVSS vector confirms network reachability with no required privileges (PR:N) but mandates user interaction (UI:R), meaning the victim must process the malicious video. SSVC assessment rates exploitation as none and the attack non-automatable, and no public exploit has been identified at time of analysis; Google has released a patched build at 150.0.7871.47.

Google Buffer Overflow Information Disclosure Suse
NVD
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13857 MEDIUM PATCH This Month

UI spoofing via crafted HTML in Google Chrome's Geometry component (versions prior to 150.0.7871.47) enables remote attackers to misrepresent security-critical interface elements to users who are socially engineered into performing specific UI gestures. The flaw stems from an inappropriate implementation in Chrome's Geometry subsystem (CWE-451), affecting the integrity and availability of the browser interface at low impact levels. No public exploit or active exploitation has been identified; Google has released a confirmed patch in version 150.0.7871.47.

Information Disclosure Google Suse
NVD
CVSS 3.1
4.2
EPSS
0.2%
CVE-2026-13856 HIGH PATCH This Week

Privilege escalation in Google Chrome for Android before 150.0.7871.47 lets an attacker who has already compromised the renderer process break out further by feeding a crafted HTML page into the Speech component, which fails to validate untrusted input (CWE-20). Google rated it Medium severity; a fix has shipped in the Stable channel, EPSS is low (0.21%, 11th percentile), and there is no public exploit identified at time of analysis. This is a sandbox-escape-class chaining bug rather than a standalone remote drive-by, since it presupposes a prior renderer compromise.

Privilege Escalation Google Suse
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-13855 HIGH PATCH This Week

Remote code execution in Google Chrome on Linux (versions prior to 150.0.7871.47) stems from a use-after-free in the Ozone platform layer, allowing a remote attacker who lures a victim into performing specific UI gestures on a crafted HTML page to execute arbitrary code in the browser context. Rated High by Chromium and CVSS 7.5, exploitation is gated by required user interaction and high attack complexity. There is no public exploit identified at time of analysis, and the EPSS probability is low at 0.26% (17th percentile).

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-13854 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome on Linux (versions prior to 150.0.7871.47) stems from a use-after-free in Ozone, Chrome's platform abstraction layer for windowing and graphics. An attacker who has already compromised the renderer process can leverage a crafted HTML page to break out of the browser sandbox and gain code execution at the higher-privileged browser-process level. There is no public exploit identified at time of analysis, and the EPSS score is low (0.21%, 11th percentile), consistent with a second-stage bug that requires a prior renderer compromise rather than a directly weaponizable single-shot flaw.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13853 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome desktop before 150.0.7871.47 stems from a use-after-free in the Journeys (browsing history) component, allowing a remote attacker who has already compromised the renderer process to break out of the sandbox and gain broader code execution on the host via a crafted HTML page. Rated High severity by Chromium and CVSS 9.6, a fix is available from vendor; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.21%, 11th percentile). Exploitation is meaningful only as the second stage of a chain, since it presupposes prior renderer compromise.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13852 CRITICAL PATCH Act Now

Discretionary access control bypass in Google Chrome for Android before 150.0.7871.47 lets a local attacker abuse the WebAppInstalls component through a crafted HTML page, undermining the platform's integrity and availability boundaries. Google rates the Chromium severity High and has shipped a fix in the Stable channel; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.14%, 4th percentile).

Authentication Bypass Google Suse
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-13851 CRITICAL PATCH Act Now

Access-control bypass in Google Chrome for Android before 150.0.7871.47 allows an attacker to subvert discretionary access controls through the WebAppInstalls component by serving a crafted HTML page, stemming from insufficient validation of untrusted input. Rated High by Chromium and scored CVSS 9.1, the flaw carries high integrity and availability impact but no confidentiality loss; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.14%, 4th percentile).

Authentication Bypass Google Suse
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-13850 HIGH PATCH This Week

Sandboxed arbitrary code execution in Google Chrome for iOS before 150.0.7871.47 lets an attacker who convinces a user to open a malicious file run code inside the browser's sandbox due to insufficient validation of untrusted input. Google rates the Chromium severity High and ships the fix in 150.0.7871.47; EPSS is low (0.15%, 4th percentile) and there is no public exploit identified at time of analysis. The flaw requires user interaction (opening the file) and, per the description, the resulting execution is confined to the sandbox rather than the underlying OS.

Apple RCE Google Suse
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-13849 HIGH PATCH This Week

Insufficient validation of untrusted input in Chromoting in Google Chrome on Windows prior to 150.0.7871.47 allowed a local attacker to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High)

Information Disclosure Microsoft Google Suse
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-13848 HIGH PATCH This Week

Remote code execution in Google Chrome desktop before 150.0.7871.47 stems from a use-after-free in the Forms component, letting a remote attacker who lures a victim to a crafted HTML page corrupt memory and execute arbitrary code within the browser's renderer sandbox. Chromium rates the flaw High severity, CVSS 8.8, requiring only that the user visit a malicious page; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.26%, 17th percentile). A vendor patch is available in the June 2026 Stable channel release.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13847 MEDIUM PATCH This Month

Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Information Disclosure Apple Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13846 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome for macOS before 150.0.7871.47 lets an attacker who has already compromised the renderer process break out of the browser sandbox by exploiting a use-after-free in the USB subsystem via a crafted HTML page. Rated High by Chromium and CVSS 9.6, it functions as a second-stage escalation primitive rather than a standalone entry point. There is no public exploit identified at time of analysis, and EPSS is low at 0.21% (11th percentile).

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13845 HIGH PATCH This Week

Arbitrary code execution in Google Chrome's DOM implementation lets a remote attacker run code within the renderer sandbox by luring a victim to a crafted HTML page. All desktop Chrome builds before 150.0.7871.47 are affected; Chromium rates the flaw High severity. No public exploit has been identified and EPSS probability is low (0.26%), but the vendor patch is already available and should be applied promptly.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13844 HIGH PATCH This Week

Local OS-level privilege escalation in Google Chrome on Windows (versions prior to 150.0.7871.47) arises from a use-after-free in the Chrome Updater component, letting a local attacker who can plant a malicious file on the system elevate to higher OS privileges. Google rates the Chromium severity as High and has released a fixed Stable channel build; there is no public exploit identified and it is not listed in CISA KEV. EPSS is low at 0.13% (3rd percentile), consistent with a bug that requires local access and user interaction rather than mass remote exploitation.

Memory Corruption Google Microsoft Denial Of Service Use After Free +2
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-13843 CRITICAL PATCH Act Now

Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Information Disclosure Apple Google Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13842 MEDIUM PATCH This Month

Omnibox spoofing in Google Chrome for iOS prior to 150.0.7871.47 enables remote unauthenticated attackers to display a falsified URL in the browser address bar by delivering a crafted HTML page to an iOS user. The flaw is classified CWE-451 (UI misrepresentation of critical information) and is iOS-platform-specific, with no impact on Chrome for Android, Windows, macOS, or Linux. No active exploitation is confirmed - the vulnerability is not listed in CISA KEV and EPSS sits at 0.22% (12th percentile) - but the spoofing primitive is a classic enabler of targeted phishing campaigns against mobile users.

Information Disclosure Apple Google Suse
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-13841 HIGH PATCH This Week

Integer overflow in Skia in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Buffer Overflow Google Suse
NVD VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-13840 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's Canvas component prior to version 150.0.7871.47 exposes sensitive cross-origin content to remote attackers via a crafted HTML page. The flaw bypasses Same-Origin Policy protections enforced at the Canvas API layer, enabling pixel-level or structured data extraction from cross-origin resources rendered in a canvas context. With CVSS 6.5, EPSS at 0.21% (11th percentile), and no CISA KEV listing or public exploit identified at time of analysis, real-world exploitation is low-probability but credible given the zero-privilege, network-accessible attack path requiring only a single user visit.

Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13839 MEDIUM PATCH This Month

Inappropriate implementation in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)

Authentication Bypass Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13838 MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's CSS implementation allows a remote, unauthenticated attacker to violate cross-origin integrity protections by luring a user to a crafted HTML page. All Chrome versions prior to 150.0.7871.47 are affected. Google has released a patch; no active exploitation is confirmed (not listed in CISA KEV), and the EPSS score of 0.22% at the 13th percentile indicates low current exploitation probability.

Authentication Bypass Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13837 MEDIUM PATCH This Month

UI spoofing in Google Chrome before 150.0.7871.47 allows remote unauthenticated attackers to visually deceive users by serving a crafted HTML page that exploits a flaw in Chrome's CSS implementation. The flaw (CWE-451: UI Misrepresentation of Critical Information) enables attacker-controlled content to obscure or mimic trusted browser UI elements such as the address bar or security indicators, creating a credible phishing surface. No public exploit has been identified at time of analysis, and the EPSS score of 0.22% (12th percentile) indicates minimal observed exploitation activity; however, Google's internal Chromium severity rating of 'High' reflects the significant phishing and credential-theft potential inherent in convincing browser UI spoofing.

Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-13836 MEDIUM PATCH This Month

Universal Cross-Site Scripting (UXSS) in Google Chrome's CSS implementation prior to version 150.0.7871.47 allows a remote attacker to inject arbitrary scripts or HTML across origin boundaries by luring a victim to a crafted HTML page. The flaw exploits an inappropriate handling of CSS that causes Chrome's renderer to break the same-origin policy, enabling script execution in the context of other origins. No public exploit or CISA KEV listing has been identified; EPSS probability is very low (0.21%, 12th percentile), suggesting limited active exploitation at time of analysis.

XSS Google Suse
NVD VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-13835 HIGH PATCH This Week

Inappropriate implementation in XML in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Google Heap Overflow Buffer Overflow Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13834 HIGH PATCH This Week

Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-13833 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's ANGLE graphics library on macOS allows a remote attacker to exfiltrate sensitive cross-origin data by luring a victim to a crafted HTML page. Affected are all Chrome versions on Mac prior to 150.0.7871.47. The flaw stems from uninitialized memory use within ANGLE, Chrome's graphics abstraction layer, enabling residual memory contents from other security origins to be read and potentially returned to an attacker-controlled page. No public exploit code or active exploitation has been identified at time of analysis; EPSS is low at 0.23% (13th percentile), consistent with a high-CVSS flaw constrained by both user-interaction and platform requirements.

Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13832 HIGH PATCH This Week

Sandbox escape in Google Chrome's Headless component (versions prior to 150.0.7871.47) lets a remote attacker who has already compromised the renderer process break out of the browser sandbox by serving a crafted HTML page. Rated High by Chromium and CVSS 8.3, it is a CWE-416 use-after-free with no public exploit identified at time of analysis; EPSS is low at 0.21% (11th percentile) and CISA SSVC records no known exploitation.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-13831 HIGH PATCH This Week

Out-of-bounds read/write (use-after-free) in Google Chrome's GPU component lets a remote attacker who has already compromised the renderer process run arbitrary code - though still confined inside the sandbox - by serving a crafted HTML page to a Chrome build prior to 150.0.7871.47. Google rates the Chromium severity High and has shipped a fixed Stable-channel build; there is no public exploit identified at time of analysis and EPSS puts near-term exploitation probability at just 0.26%.

Memory Corruption Google Buffer Overflow Use After Free RCE +1
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-13830 HIGH PATCH This Week

Remote code execution in Google Chrome's Chromoting (Chrome Remote Desktop) component on Linux allows an adjacent-network attacker to run arbitrary code by sending malicious network traffic to a vulnerable client before version 150.0.7871.47. The flaw is a use-after-free memory-corruption issue rated High by Chromium and carries a CVSS 8.8. There is no public exploit identified at time of analysis, it is not in CISA KEV, and EPSS is low (0.24%, 15th percentile), indicating no observed exploitation activity yet.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13829 HIGH PATCH This Week

Insufficient validation of untrusted input in Settings in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Information Disclosure Microsoft Google Suse
NVD VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-13828 MEDIUM PATCH This Month

Memory disclosure in Google Chrome's Enterprise policy implementation exposes sensitive process memory contents to remote attackers who can direct victims to a crafted HTML page. All Chrome desktop releases prior to 150.0.7871.47 are affected. No public exploit code exists and CISA SSVC classifies exploitation status as none, but the high confidentiality impact and zero-privilege-required attack path make prompt patching advisable for enterprise-managed Chrome deployments.

Authentication Bypass Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-13827 HIGH PATCH This Week

Local privilege escalation in Google Chrome's Updater component on macOS versions prior to 150.0.7871.47 lets an attacker abuse a use-after-free (CWE-416) via a malicious file to gain the elevated privileges under which the updater runs. Google rates the Chromium severity as High, and the CVSS 3.1 base score is 7.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. EPSS is low at 0.13% (3rd percentile), consistent with the SSVC exploitation status of 'none'.

Memory Corruption Google Denial Of Service Use After Free Privilege Escalation +1
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-13826 MEDIUM PATCH This Month

Cross-origin data leakage via Chrome's Autofill implementation on Android allows a remote attacker with prior renderer process compromise to extract sensitive data across origin boundaries using a crafted HTML page. Affected versions are all Chrome for Android releases prior to 150.0.7871.47. No public exploit code has been identified and the EPSS score of 0.21% (11th percentile) reflects low observed exploitation activity; however, the cross-origin data exposure (CWE-346) combined with Autofill access creates meaningful privacy risk for users on vulnerable Android builds. Google has released a patch in the stable channel update.

Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13825 HIGH PATCH This Week

Uninitialized Use in Dawn in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13824 HIGH PATCH This Week

Privilege escalation in Google Chrome's Extensions subsystem before version 150.0.7871.47 lets an attacker who has already compromised the renderer process break out of that context and gain elevated privileges by delivering a crafted HTML page. Google rates the Chromium severity as High, and the assigned CVSS is 7.5 (AV:N/AC:H). There is no public exploit identified at time of analysis, EPSS is low (0.21%, 11th percentile), and CISA's SSVC framework records exploitation status as none, indicating this is currently a patch-and-move-on issue rather than an active threat.

Privilege Escalation Google Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-13823 HIGH PATCH This Week

Use after free in Glic in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-13822 MEDIUM PATCH This Month

Inappropriate implementation in Extensions in Google Chrome on Android prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to bypass same origin policy via a crafted Chrome Extension. (Chromium security severity: High)

Authentication Bypass Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-13821 HIGH PATCH This Week

Remote code execution in Google Chrome desktop versions prior to 150.0.7871.47 stems from a use-after-free in the Canvas component, letting a remote attacker run arbitrary code within the renderer sandbox when a victim opens a crafted HTML page. The flaw carries a CVSS 8.8 (High) rating and requires user interaction (visiting a malicious page), but no authentication. There is no public exploit identified at time of analysis, and EPSS is low at 0.26% (17th percentile).

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13820 MEDIUM PATCH This Month

Out of bounds read in Skia in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Google Buffer Overflow Information Disclosure Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13819 HIGH PATCH This Week

Out of bounds read in ANGLE in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)

Google Buffer Overflow Information Disclosure Suse
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-13818 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's Passwords subsystem allows a remote attacker to circumvent intended access controls by delivering a crafted HTML page to a user. All Chrome desktop versions prior to 150.0.7871.47 are affected, with integrity rated High by CVSS due to the ability to manipulate navigation behavior. No public exploit exists at time of analysis and EPSS sits at 0.22% (13th percentile), indicating low near-term exploitation probability despite Chrome's enormous global footprint and Chromium's internal 'High' severity classification.

Authentication Bypass Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13817 HIGH PATCH This Week

Sandbox escape in Google Chrome versions prior to 150.0.7871.47 stems from insufficient input validation in the Glic component, allowing a remote attacker who lures a victim to a crafted HTML page to potentially break out of the renderer sandbox. The flaw carries a CVSS 8.8 (High) rating and requires user interaction (visiting a malicious page); there is no public exploit identified at time of analysis and EPSS estimates only a 0.21% exploitation probability. A vendor patch is available and the issue is not listed in CISA KEV.

Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-13816 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome for Android prior to 150.0.7871.47 enables remote attackers to read data from other origins via a crafted HTML page exploiting insufficient validation in the File Input component. The flaw is Android-platform-specific, requiring only that a victim user navigate to an attacker-controlled page. No active exploitation has been confirmed (CISA KEV negative, SSVC exploitation: none), and EPSS at 0.21% (11th percentile) reflects low current exploitation interest, though the unauthenticated, low-complexity attack vector keeps it a relevant patching priority for Android Chrome deployments.

Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13815 HIGH PATCH This Week

Remote code execution in Google Chrome's Blink rendering engine (versions prior to 150.0.7871.47) allows a remote attacker to run arbitrary code inside the renderer sandbox by luring a victim to a crafted HTML page. The flaw is a use-after-free (CWE-416) rated High by Chromium and 8.8 (CVSS 3.1); it requires user interaction (visiting a malicious page) and no privileges. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, with a low EPSS of 0.26% (17th percentile).

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13814 HIGH PATCH This Week

Heap corruption via a use-after-free in the Views UI component of Google Chrome allows a remote attacker who serves a crafted HTML page and lures a user into performing specific UI gestures to potentially execute code in the browser process. All desktop Chrome builds prior to 150.0.7871.47 are affected; Google rates the Chromium severity as High and has shipped a fix. No public exploit identified at time of analysis, and EPSS is low (0.21%, 11th percentile).

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-13813 HIGH PATCH This Week

Sandbox escape in Google Chrome for iOS prior to 150.0.7871.47 lets a remote attacker who has already compromised the renderer process break out of the sandbox via a crafted HTML page, escalating from renderer-level code execution to broader access on the device. The flaw stems from insufficient policy enforcement (CWE-20) and carries a High Chromium severity rating with a CVSS 8.3 (scope-changed) score. There is no public exploit identified at time of analysis and it is not in CISA KEV; EPSS probability is low at 0.21% (11th percentile).

Information Disclosure Apple Google Suse
NVD VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-13812 MEDIUM PATCH This Month

Universal Cross-Site Scripting (UXSS) in Google Chrome for iOS prior to 150.0.7871.47 enables a remote attacker to inject arbitrary scripts or HTML across origins by exploiting insufficient input validation triggered through specific user UI gestures on a crafted page. The scope change (S:C in CVSS) is the critical dimension here - successful exploitation bypasses the same-origin policy, potentially granting the attacker script execution in the context of arbitrary origins within the browser session. No public exploit code has been identified and EPSS sits at just 0.20% (11th percentile), indicating low observed exploitation activity despite the high-impact class of vulnerability.

Code Injection Apple Google Suse
NVD VulDB
CVSS 3.1
4.7
EPSS
0.2%
CVE-2026-13811 HIGH PATCH This Week

Renderer-process remote code execution in Google Chrome desktop before 150.0.7871.47 stems from a use-after-free in the Input Method Editor (IME) component, letting a remote attacker run arbitrary code within the browser's sandbox when a victim visits a crafted HTML page. Rated High by Chromium and CVSS 8.8, it requires user interaction (visiting a page) but no authentication. No public exploit identified at time of analysis, and the EPSS score is low (0.26%, 17th percentile), indicating no evidence of widespread exploitation yet.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13810 MEDIUM PATCH This Month

Memory disclosure in Google Chrome for Linux (prior to 150.0.7871.47) allows a remote attacker to read sensitive contents from the browser's process memory by directing a user to a crafted HTML page. The flaw stems from an inappropriate implementation in Chrome's input handling subsystem, and is platform-specific - only Linux builds are affected. No public exploit code or CISA KEV listing has been identified at the time of analysis, but the network-reachable, zero-authentication attack path and high confidentiality impact make patching a near-term priority for Linux desktop environments.

Google Information Disclosure Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-13809 MEDIUM PATCH This Month

Side-channel information leakage in Safe Browsing in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Information Disclosure Apple Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13808 MEDIUM PATCH This Month

Sensitive process memory exposure in Google Chrome for iOS prior to 150.0.7871.47 enables a physically present attacker to read potentially sensitive data from the browser's memory without authentication. The root cause is insufficient data validation (CWE-20) within the iOS-specific Chrome implementation. No public exploit code or CISA KEV listing has been identified at time of analysis, and the physical access requirement (CVSS AV:P) significantly constrains real-world attacker opportunity.

Information Disclosure Apple Google Suse
NVD VulDB
CVSS 3.1
4.6
EPSS
0.1%
CVE-2026-13807 HIGH PATCH This Week

Remote code execution in Google Chrome on iOS prior to 150.0.7871.47 stems from a use-after-free in the browser's Import component, allowing a remote attacker who lures a victim into opening a malicious file and performing specific UI gestures to execute arbitrary code. Rated High by Chromium and CVSS 7.5, the flaw has no public exploit identified at time of analysis and a low EPSS of 0.24% (15th percentile), consistent with its high attack complexity and required user interaction. A vendor patch is available in the June 2026 Stable channel update.

Memory Corruption Google Apple Denial Of Service Use After Free +2
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-13806 HIGH PATCH This Week

Insufficient validation of untrusted input in Accessibility in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)

Authentication Bypass Google Suse
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-13805 HIGH PATCH This Week

Remote code execution in Google Chrome for macOS prior to 150.0.7871.47 stems from a use-after-free in the GFX (graphics) component, allowing a remote attacker to run arbitrary code after a victim opens a crafted HTML page. Chromium rates the severity High and the CVSS is 8.8, but exploitation requires user interaction (visiting a malicious page). There is no public exploit identified at time of analysis and EPSS is low (0.26%, 17th percentile), indicating no observed weaponization yet.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13804 HIGH PATCH This Week

Sandbox escape in Google Chrome's Chromecast component (versions before 150.0.7871.47) lets an attacker who has already compromised the renderer process break out of the browser sandbox and reach the host via a crafted HTML page. Rooted in a use-after-free (CWE-416) memory-corruption bug rated High by Chromium, it carries a CVSS 8.3 driven by a scope change and full CIA impact, but requires a pre-existing renderer compromise, high attack complexity, and user interaction. No public exploit identified at time of analysis, and the low EPSS (0.21%) plus SSVC 'exploitation: none' indicate it is not currently being exploited.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-13803 HIGH PATCH This Week

Sandbox escape in Google Chrome desktop before 150.0.7871.47 lets a remote attacker who has already compromised the renderer process escalate out of the sandbox via a crafted HTML page that triggers a type-confusion bug (CWE-843) in the Tabs component. Exploitation is gated behind prior renderer compromise and user interaction, and the flaw is rated High by Chromium with a CVSS 8.3 due to scope change and total impact. There is no public exploit identified at time of analysis, EPSS is low (0.23%, 13th percentile), and CISA SSVC lists exploitation as none.

Memory Corruption Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-13802 HIGH PATCH This Week

Remote code execution in Google Chrome (Views UI component) prior to 150.0.7871.47 allows a remote attacker to execute arbitrary code by luring a victim to a crafted HTML page and inducing specific UI gestures that trigger a use-after-free. Rated High by Chromium and CVSS 7.5, the flaw is elevated in complexity by its requirement for user interaction, and no public exploit has been identified at time of analysis; EPSS probability is low at 0.26%.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-13801 HIGH PATCH This Week

Integer overflow in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Buffer Overflow Google Suse
NVD VulDB
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-13800 HIGH PATCH This Week

Local privilege escalation in the Google Chrome Updater on Windows (versions prior to 150.0.7871.47) allows a local attacker to gain OS-level privileges by planting a malicious file that the Updater component mishandles. Rated High by Chromium and CVSS 7.8, exploitation requires local access plus user interaction; there is no public exploit identified at time of analysis, and EPSS is low at 0.13% (3rd percentile). A vendor patch is available in the June 2026 Stable Channel release.

Authentication Bypass Privilege Escalation Microsoft Google Suse
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-13799 HIGH PATCH This Week

Heap corruption in Google Chrome's QUIC networking stack (versions prior to 150.0.7871.47) stems from a use-after-free that a remote attacker can trigger through crafted network traffic, potentially leading to arbitrary code execution in the affected browser process. Google rated the Chromium security severity as High and has shipped a fixed Stable-channel build; there is no public exploit identified at time of analysis and CISA's SSVC records exploitation status as 'none'. EPSS is low (0.19%, 9th percentile), indicating no observed weaponization despite a total technical-impact rating.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-13798 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome desktop versions prior to 150.0.7871.47 stems from a heap buffer overflow in the Chromecast component, letting an attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page. Rated High by Chromium and CVSS 9.6, but it is a second-stage bug requiring prior renderer control, and there is no public exploit identified at time of analysis (SSVC exploitation: none, EPSS 0.22%). No CISA KEV listing exists, indicating no confirmed active exploitation.

Heap Overflow Buffer Overflow Google Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13797 CRITICAL PATCH Act Now

Insufficient validation of untrusted input in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13796 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's Chromecast component before 150.0.7871.47 lets an attacker who has already compromised the renderer process break out of the sandbox via a crafted HTML page, escalating from renderer-level code execution to the more privileged browser process. Google rates the Chromium severity High and the CVSS is 9.6 due to the scope change; however, EPSS is only 0.21% (11th percentile) and there is no public exploit identified at time of analysis. A vendor patch is available.

Buffer Overflow Google Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13795 MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome for iOS (prior to 150.0.7871.47) permits a remote, unauthenticated attacker to circumvent client-side policy controls by delivering a crafted HTML page to a victim user. The flaw originates from insufficient policy enforcement (CWE-602), where navigation security logic enforced within the browser client can be subverted through malicious web content. No active exploitation has been identified - CISA KEV is not listed, SSVC confirms Exploitation: none, and the EPSS score of 0.22% (13th percentile) reflects minimal real-world exploitation activity at time of analysis.

Authentication Bypass Apple Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13794 HIGH PATCH This Week

Remote code execution in Google Chrome on Windows before version 150.0.7871.47 allows an attacker to run arbitrary code by luring a victim to a crafted HTML page and getting them to perform specific UI gestures against the WebAppInstalls component. Chromium rates the flaw High severity; no public exploit identified at time of analysis, and the EPSS probability is low (0.26%, 17th percentile), indicating the attack is not yet broadly commoditized despite the serious impact.

RCE Microsoft Google Suse
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-13793 MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's SVG rendering subsystem (versions prior to 150.0.7871.47) allows remote attackers to exfiltrate sensitive information from other origins by directing victims to a crafted HTML page. The root cause is insufficient policy enforcement in SVG handling, classified as CWE-346 (Origin Validation Error), effectively bypassing Same-Origin Policy protections. No public exploit has been identified at time of analysis, and EPSS places exploitation probability at 0.21% (11th percentile), indicating low near-term exploitation likelihood despite a CVSS confidentiality impact rated High.

Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13792 CRITICAL PATCH Act Now

Sandbox escape in Google Chrome for macOS versions prior to 150.0.7871.47 stems from a use-after-free in the Touchbar component, letting a remote attacker who lures a victim to a crafted HTML page potentially break out of the renderer sandbox. Reported through Google's internal Chrome security process and rated High by Chromium, it carries a CVSS 9.6 due to scope change and full CIA impact, though there is no public exploit identified at time of analysis and EPSS exploitation probability is low at 0.21%. SSVC assesses current exploitation as none, indicating this is a patch-now-but-not-panic item.

Memory Corruption Denial Of Service Use After Free Google Suse
NVD VulDB
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-13791 HIGH PATCH This Week

Arbitrary code execution in Google Chrome desktop before 150.0.7871.47 arises from insufficient input validation in the Downloads component, letting a crafted Chrome extension break out of its intended sandbox constraints. An attacker who first convinces a victim to install a malicious extension can leverage the flaw to run arbitrary code, which Chromium rates High severity. No public exploit has been identified at time of analysis and EPSS is low (0.15%, 5th percentile), indicating no observed widespread exploitation.

RCE Google Suse
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-13790 MEDIUM PATCH This Month

Side-channel information leakage via Chrome's Scroll implementation exposes cross-origin data to remote attackers who can lure a victim to a crafted HTML page. All Chrome versions prior to 150.0.7871.47 are affected; exploitation requires user interaction (visiting the attacker-controlled page) but no authentication. No public exploit identified at time of analysis and EPSS sits at the 11th percentile, though the confidentiality impact is rated High by NVD given the potential to read data from foreign origins.

Information Disclosure Google Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-13788 HIGH PATCH This Week

Remote code execution in Google Chrome for Android before 150.0.7871.47 stems from a use-after-free in the Fullscreen component, letting a remote attacker who lures a victim to a crafted HTML page corrupt memory and run arbitrary code in the renderer. Chromium rates the flaw Critical, though CVSS scores it 8.8 because exploitation requires the victim to open the malicious page. There is no public exploit identified at time of analysis, and the EPSS probability is low (0.26%, 17th percentile), with CISA SSVC showing no known exploitation.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-13787 HIGH PATCH This Week

Remote code execution in Google Chrome's Chromoting (Chrome Remote Desktop) component on Windows affects all desktop builds prior to 150.0.7871.47, where a use-after-free (CWE-416) lets a remote attacker corrupt memory via malicious network traffic. Google rates the Chromium severity Critical, and a vendor patch is available, but there is no public exploit identified at time of analysis and EPSS is low at 0.24%. High attack complexity (AC:H) means the memory-corruption race is non-trivial to win reliably, tempering the CVSS 8.1 score.

Memory Corruption Google Microsoft Denial Of Service Use After Free +2
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-13786 HIGH PATCH This Week

Remote code execution in Google Chrome's Ozone platform-abstraction layer prior to 150.0.7871.47 lets a remote attacker execute arbitrary code by luring a victim to a crafted HTML page. The flaw is a use-after-free (CWE-416) rated Critical by Chromium and CVSS 8.8, requiring the victim to visit a malicious page (UI:R) but no privileges. No public exploit has been identified at time of analysis and EPSS probability is low (0.26%), but the memory-corruption class and 'total' technical impact make it a high-priority browser patch.

Memory Corruption Google Denial Of Service Use After Free RCE +1
NVD VulDB
CVSS 3.1
8.8
EPSS
0.3%
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Content Security Policy bypass in Google Chrome prior to 150.0.7871.47 is achievable by an attacker holding a privileged network position who can manipulate traffic between the victim's browser and a server. The flaw originates in Chrome's Network component (CWE-693: Protection Mechanism Failure), where an inappropriate implementation allows CSP enforcement to be circumvented via crafted network traffic, yielding a High Integrity impact. No active exploitation is confirmed - the vulnerability is absent from CISA KEV and carries an EPSS score of 0.15% (4th percentile) - but the attack vector is unauthenticated and the integrity impact is significant for high-value targets on adversarial networks.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Memory disclosure in Google Chrome's GPU component on Windows enables a remote attacker - who has already established renderer process compromise - to extract sensitive data from process memory via a crafted HTML page. Affected versions are all Chrome for Windows releases prior to 150.0.7871.47. This is a second-stage exploit component: it does not independently achieve remote code execution but can be chained with a renderer exploit to leak process memory contents, potentially exposing credentials, tokens, or other in-memory sensitive data. No public exploit code and no CISA KEV listing have been identified at time of analysis.

Information Disclosure Microsoft Google +1
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Race condition in the DataTransfer API in Google Chrome prior to 150.0.7871.47 allows a remote attacker to read potentially sensitive data from renderer process memory by luring a user to a specially crafted HTML page. The CVSS vector (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N) confirms the impact is limited to confidentiality - no integrity or availability loss - and that reliable exploitation requires winning a timing race (AC:H) combined with user interaction. No public exploit identified at time of analysis; Google has shipped a patch in the stable channel update dated June 2026.

Information Disclosure Race Condition Google +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Out-of-bounds read in Chrome's Layout engine prior to 150.0.7871.47 allows remote attackers to leak potentially sensitive data from the renderer process memory by serving a crafted HTML page. User interaction is required - the victim must visit the malicious page - limiting automated mass exploitation. No public exploit code has been identified at time of analysis, and CISA SSVC rates exploitation status as none with partial technical impact, placing real-world urgency below what the CVSS 6.5 score alone might suggest.

Memory Corruption Buffer Overflow Google +1
NVD
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome for Android before 150.0.7871.47 lets a local attacker break out of the renderer/browser sandbox by feeding a malicious file into the WebAppInstalls component, which insufficiently validates untrusted input (CWE-20). Chromium rates the security severity as Medium, and no public exploit has been identified at time of analysis; EPSS estimates only a 0.13% (3rd percentile) chance of exploitation in the next 30 days. A vendor patch is available in Chrome 150.0.7871.47.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

GuestView policy enforcement in Google Chrome prior to 150.0.7871.47 can be subverted by an attacker who has already achieved renderer process compromise, allowing site isolation to be bypassed via a crafted HTML page. The flaw (CWE-602: Client-Side Enforcement of Server-Side Security) enables manipulation of cross-origin content or policy in embedded browsing contexts that Chrome's site isolation architecture is designed to protect. No public exploit code has been identified and EPSS places exploitation probability at 0.22% (13th percentile), consistent with the elevated prerequisite of a prior renderer compromise required to trigger this vulnerability.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Sandboxed remote code execution in the WebView component of Google Chrome for Android before 150.0.7871.47 lets a remote attacker run arbitrary code within the renderer sandbox when a victim loads a crafted HTML page. Rated CVSS 8.8 (network vector, no privileges, requires user interaction), the flaw is a CWE-416 use-after-free, but code execution is confined to the sandbox and would require a separate escape to reach the host. No public exploit identified at time of analysis, and EPSS is low at 0.26% (17th percentile), indicating limited near-term mass-exploitation pressure despite the high base score.

Memory Corruption Google Denial Of Service +3
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's Device component on Windows (versions prior to 150.0.7871.47) lets an attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page, exploiting a use-after-free (CWE-416). Google rates the Chromium security severity as Medium, reflecting that it is a second-stage bug requiring prior renderer compromise, though the NVD CVSS of 9.6 is inflated by the sandbox scope change. There is no public exploit identified at time of analysis and EPSS is low (0.21%), indicating no current sign of widespread exploitation.

Memory Corruption Google Microsoft +3
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Site isolation bypass in Google Chrome on Android prior to 150.0.7871.47 enables a remote attacker - who has already achieved renderer process compromise via a separate exploit - to break cross-origin security boundaries using a crafted HTML page. The root cause is CWE-346 (Origin Validation Error) in Chrome's Android-specific network implementation, meaning the network layer fails to enforce origin checks when requests originate from a compromised renderer context. No active exploitation is confirmed (not in CISA KEV), and the EPSS score of 0.22% at the 13th percentile reflects the high chaining complexity required.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

UI spoofing via Chrome's Geolocation implementation (versions prior to 150.0.7871.47) allows a remote, unauthenticated attacker to deceive users about the origin or context of geolocation permission requests through a crafted HTML page. Exploitation requires user interaction with the malicious page, limiting automated attack potential. With EPSS at 0.21% (11th percentile), no CISA KEV listing, and no public exploit identified, real-world exploitation risk is low despite the broad deployment footprint of Chrome.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Site isolation bypass in Google Chrome for Android (prior to 150.0.7871.47) allows a remote attacker who has already achieved renderer process compromise to cross origin boundaries using a crafted HTML page, enabling high-integrity impact against other open sites. The root cause is CWE-20 (Improper Input Validation) within Chrome's Input subsystem on Android - an input handling implementation flaw that fails to enforce cross-origin separation once the renderer is under adversary control. No public exploit has been identified at time of analysis and EPSS sits at 0.22% (13th percentile), placing this firmly in the category of a meaningful escalation primitive rather than a standalone mass-exploitation risk.

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

UI spoofing in Google Chrome Enterprise prior to version 150.0.7871.47 allows unauthenticated remote attackers to deceive users into believing they are interacting with legitimate browser UI by serving a crafted HTML page. The root cause is insufficient validation of untrusted HTML input within Chrome's Enterprise component (CWE-20), enabling an attacker to manipulate visual elements such as address bars, dialog prompts, or permission requests. No public exploit has been identified at time of analysis and EPSS sits at 0.21% (11th percentile), indicating low current exploitation probability despite a network-accessible attack vector.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Privilege escalation in Google Chrome desktop prior to 150.0.7871.47 stems from insufficient policy enforcement in the WebHID subsystem, letting a maliciously crafted extension escape its intended boundaries and gain elevated access to human-interface devices and browser privileges. Exploitation first requires convincing a victim to install the malicious extension, after which a crafted Chrome Extension bypasses WebHID access controls. Chromium rates the issue Medium; no public exploit is identified at time of analysis and EPSS exploitation probability is low (0.13%, 3rd percentile).

Authentication Bypass Privilege Escalation Google +1
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Privilege escalation in Google Chrome for Android (CustomTabs) prior to 150.0.7871.47 allows a local attacker to escalate privileges by supplying a malicious file that CustomTabs fails to validate properly. Google rates the Chromium severity as Medium, and the requirement for user interaction plus local access limits remote mass exploitation. No public exploit has been identified at time of analysis and the EPSS score is very low (0.13%, 3rd percentile), so opportunistic exploitation appears unlikely.

Privilege Escalation Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Insufficient policy enforcement in Web Authentication (Passkeys & Security Keys) in Google Chrome on iOS prior to 150.0.7871.47 allowed an attacker in a privileged network position to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Apple Google +1
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome before 150.0.7871.47 lets an attacker who has already compromised the renderer process break out of the browser sandbox and reach the host via a crafted HTML page, exploiting a use-after-free (CWE-416) in the Core component. Google-assigned Chromium severity is Medium, though the NVD CVSS is 9.6 due to the cross-boundary scope change. No public exploit identified at time of analysis, and EPSS is low (0.21%, 11th percentile), indicating it is not yet a mass-exploitation target.

Memory Corruption Denial Of Service Use After Free +2
NVD
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

UI spoofing in Google Chrome's Autofill component on Windows (all versions prior to 150.0.7871.47) allows a remote unauthenticated attacker to mislead users into interacting with forged security UI elements by convincing them to perform specific on-page gestures against a crafted HTML page. Rooted in CWE-451 (UI Misrepresentation of Critical Information), the flaw enables an adversary to obscure or fabricate Autofill security indicators, potentially tricking users into submitting saved credentials or personal data to attacker-controlled destinations. No public exploit or CISA KEV listing has been confirmed; Google has released a fix in stable channel version 150.0.7871.47.

Information Disclosure Microsoft Google +1
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Inappropriate implementation in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Out-of-bounds read in Chrome's bundled FFmpeg video decoding component (all versions prior to 150.0.7871.47) allows a remote attacker to leak renderer process memory contents via a crafted video file. The CVSS vector confirms network reachability with no required privileges (PR:N) but mandates user interaction (UI:R), meaning the victim must process the malicious video. SSVC assessment rates exploitation as none and the attack non-automatable, and no public exploit has been identified at time of analysis; Google has released a patched build at 150.0.7871.47.

Google Buffer Overflow Information Disclosure +1
NVD
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

UI spoofing via crafted HTML in Google Chrome's Geometry component (versions prior to 150.0.7871.47) enables remote attackers to misrepresent security-critical interface elements to users who are socially engineered into performing specific UI gestures. The flaw stems from an inappropriate implementation in Chrome's Geometry subsystem (CWE-451), affecting the integrity and availability of the browser interface at low impact levels. No public exploit or active exploitation has been identified; Google has released a confirmed patch in version 150.0.7871.47.

Information Disclosure Google Suse
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Privilege escalation in Google Chrome for Android before 150.0.7871.47 lets an attacker who has already compromised the renderer process break out further by feeding a crafted HTML page into the Speech component, which fails to validate untrusted input (CWE-20). Google rated it Medium severity; a fix has shipped in the Stable channel, EPSS is low (0.21%, 11th percentile), and there is no public exploit identified at time of analysis. This is a sandbox-escape-class chaining bug rather than a standalone remote drive-by, since it presupposes a prior renderer compromise.

Privilege Escalation Google Suse
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Google Chrome on Linux (versions prior to 150.0.7871.47) stems from a use-after-free in the Ozone platform layer, allowing a remote attacker who lures a victim into performing specific UI gestures on a crafted HTML page to execute arbitrary code in the browser context. Rated High by Chromium and CVSS 7.5, exploitation is gated by required user interaction and high attack complexity. There is no public exploit identified at time of analysis, and the EPSS probability is low at 0.26% (17th percentile).

Memory Corruption Google Denial Of Service +3
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome on Linux (versions prior to 150.0.7871.47) stems from a use-after-free in Ozone, Chrome's platform abstraction layer for windowing and graphics. An attacker who has already compromised the renderer process can leverage a crafted HTML page to break out of the browser sandbox and gain code execution at the higher-privileged browser-process level. There is no public exploit identified at time of analysis, and the EPSS score is low (0.21%, 11th percentile), consistent with a second-stage bug that requires a prior renderer compromise rather than a directly weaponizable single-shot flaw.

Memory Corruption Denial Of Service Use After Free +2
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome desktop before 150.0.7871.47 stems from a use-after-free in the Journeys (browsing history) component, allowing a remote attacker who has already compromised the renderer process to break out of the sandbox and gain broader code execution on the host via a crafted HTML page. Rated High severity by Chromium and CVSS 9.6, a fix is available from vendor; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.21%, 11th percentile). Exploitation is meaningful only as the second stage of a chain, since it presupposes prior renderer compromise.

Memory Corruption Denial Of Service Use After Free +2
NVD
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Discretionary access control bypass in Google Chrome for Android before 150.0.7871.47 lets a local attacker abuse the WebAppInstalls component through a crafted HTML page, undermining the platform's integrity and availability boundaries. Google rates the Chromium severity High and has shipped a fix in the Stable channel; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.14%, 4th percentile).

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Access-control bypass in Google Chrome for Android before 150.0.7871.47 allows an attacker to subvert discretionary access controls through the WebAppInstalls component by serving a crafted HTML page, stemming from insufficient validation of untrusted input. Rated High by Chromium and scored CVSS 9.1, the flaw carries high integrity and availability impact but no confidentiality loss; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.14%, 4th percentile).

Authentication Bypass Google Suse
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Sandboxed arbitrary code execution in Google Chrome for iOS before 150.0.7871.47 lets an attacker who convinces a user to open a malicious file run code inside the browser's sandbox due to insufficient validation of untrusted input. Google rates the Chromium severity High and ships the fix in 150.0.7871.47; EPSS is low (0.15%, 4th percentile) and there is no public exploit identified at time of analysis. The flaw requires user interaction (opening the file) and, per the description, the resulting execution is confined to the sandbox rather than the underlying OS.

Apple RCE Google +1
NVD
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Insufficient validation of untrusted input in Chromoting in Google Chrome on Windows prior to 150.0.7871.47 allowed a local attacker to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High)

Information Disclosure Microsoft Google +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome desktop before 150.0.7871.47 stems from a use-after-free in the Forms component, letting a remote attacker who lures a victim to a crafted HTML page corrupt memory and execute arbitrary code within the browser's renderer sandbox. Chromium rates the flaw High severity, CVSS 8.8, requiring only that the user visit a malicious page; there is no public exploit identified at time of analysis and EPSS exploitation probability is low (0.26%, 17th percentile). A vendor patch is available in the June 2026 Stable channel release.

Memory Corruption Google Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Information Disclosure Apple Google +1
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome for macOS before 150.0.7871.47 lets an attacker who has already compromised the renderer process break out of the browser sandbox by exploiting a use-after-free in the USB subsystem via a crafted HTML page. Rated High by Chromium and CVSS 9.6, it functions as a second-stage escalation primitive rather than a standalone entry point. There is no public exploit identified at time of analysis, and EPSS is low at 0.21% (11th percentile).

Memory Corruption Denial Of Service Use After Free +2
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary code execution in Google Chrome's DOM implementation lets a remote attacker run code within the renderer sandbox by luring a victim to a crafted HTML page. All desktop Chrome builds before 150.0.7871.47 are affected; Chromium rates the flaw High severity. No public exploit has been identified and EPSS probability is low (0.26%), but the vendor patch is already available and should be applied promptly.

Memory Corruption Google Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local OS-level privilege escalation in Google Chrome on Windows (versions prior to 150.0.7871.47) arises from a use-after-free in the Chrome Updater component, letting a local attacker who can plant a malicious file on the system elevate to higher OS privileges. Google rates the Chromium severity as High and has released a fixed Stable channel build; there is no public exploit identified and it is not listed in CISA KEV. EPSS is low at 0.13% (3rd percentile), consistent with a bug that requires local access and user interaction rather than mass remote exploitation.

Memory Corruption Google Microsoft +4
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Insufficient validation of untrusted input in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Information Disclosure Apple Google +1
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Omnibox spoofing in Google Chrome for iOS prior to 150.0.7871.47 enables remote unauthenticated attackers to display a falsified URL in the browser address bar by delivering a crafted HTML page to an iOS user. The flaw is classified CWE-451 (UI misrepresentation of critical information) and is iOS-platform-specific, with no impact on Chrome for Android, Windows, macOS, or Linux. No active exploitation is confirmed - the vulnerability is not listed in CISA KEV and EPSS sits at 0.22% (12th percentile) - but the spoofing primitive is a classic enabler of targeted phishing campaigns against mobile users.

Information Disclosure Apple Google +1
NVD
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Integer overflow in Skia in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Buffer Overflow Google Suse
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's Canvas component prior to version 150.0.7871.47 exposes sensitive cross-origin content to remote attackers via a crafted HTML page. The flaw bypasses Same-Origin Policy protections enforced at the Canvas API layer, enabling pixel-level or structured data extraction from cross-origin resources rendered in a canvas context. With CVSS 6.5, EPSS at 0.21% (11th percentile), and no CISA KEV listing or public exploit identified at time of analysis, real-world exploitation is low-probability but credible given the zero-privilege, network-accessible attack path requiring only a single user visit.

Information Disclosure Google Suse
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Inappropriate implementation in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)

Authentication Bypass Google Suse
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Same-origin policy bypass in Google Chrome's CSS implementation allows a remote, unauthenticated attacker to violate cross-origin integrity protections by luring a user to a crafted HTML page. All Chrome versions prior to 150.0.7871.47 are affected. Google has released a patch; no active exploitation is confirmed (not listed in CISA KEV), and the EPSS score of 0.22% at the 13th percentile indicates low current exploitation probability.

Authentication Bypass Google Suse
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

UI spoofing in Google Chrome before 150.0.7871.47 allows remote unauthenticated attackers to visually deceive users by serving a crafted HTML page that exploits a flaw in Chrome's CSS implementation. The flaw (CWE-451: UI Misrepresentation of Critical Information) enables attacker-controlled content to obscure or mimic trusted browser UI elements such as the address bar or security indicators, creating a credible phishing surface. No public exploit has been identified at time of analysis, and the EPSS score of 0.22% (12th percentile) indicates minimal observed exploitation activity; however, Google's internal Chromium severity rating of 'High' reflects the significant phishing and credential-theft potential inherent in convincing browser UI spoofing.

Information Disclosure Google Suse
NVD VulDB
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Universal Cross-Site Scripting (UXSS) in Google Chrome's CSS implementation prior to version 150.0.7871.47 allows a remote attacker to inject arbitrary scripts or HTML across origin boundaries by luring a victim to a crafted HTML page. The flaw exploits an inappropriate handling of CSS that causes Chrome's renderer to break the same-origin policy, enabling script execution in the context of other origins. No public exploit or CISA KEV listing has been identified; EPSS probability is very low (0.21%, 12th percentile), suggesting limited active exploitation at time of analysis.

XSS Google Suse
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Inappropriate implementation in XML in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Google Heap Overflow Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Information Disclosure Google Suse
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's ANGLE graphics library on macOS allows a remote attacker to exfiltrate sensitive cross-origin data by luring a victim to a crafted HTML page. Affected are all Chrome versions on Mac prior to 150.0.7871.47. The flaw stems from uninitialized memory use within ANGLE, Chrome's graphics abstraction layer, enabling residual memory contents from other security origins to be read and potentially returned to an attacker-controlled page. No public exploit code or active exploitation has been identified at time of analysis; EPSS is low at 0.23% (13th percentile), consistent with a high-CVSS flaw constrained by both user-interaction and platform requirements.

Information Disclosure Google Suse
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome's Headless component (versions prior to 150.0.7871.47) lets a remote attacker who has already compromised the renderer process break out of the browser sandbox by serving a crafted HTML page. Rated High by Chromium and CVSS 8.3, it is a CWE-416 use-after-free with no public exploit identified at time of analysis; EPSS is low at 0.21% (11th percentile) and CISA SSVC records no known exploitation.

Memory Corruption Denial Of Service Use After Free +2
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Out-of-bounds read/write (use-after-free) in Google Chrome's GPU component lets a remote attacker who has already compromised the renderer process run arbitrary code - though still confined inside the sandbox - by serving a crafted HTML page to a Chrome build prior to 150.0.7871.47. Google rates the Chromium severity High and has shipped a fixed Stable-channel build; there is no public exploit identified at time of analysis and EPSS puts near-term exploitation probability at just 0.26%.

Memory Corruption Google Buffer Overflow +3
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome's Chromoting (Chrome Remote Desktop) component on Linux allows an adjacent-network attacker to run arbitrary code by sending malicious network traffic to a vulnerable client before version 150.0.7871.47. The flaw is a use-after-free memory-corruption issue rated High by Chromium and carries a CVSS 8.8. There is no public exploit identified at time of analysis, it is not in CISA KEV, and EPSS is low (0.24%, 15th percentile), indicating no observed exploitation activity yet.

Memory Corruption Google Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Insufficient validation of untrusted input in Settings in Google Chrome on Windows prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Information Disclosure Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Memory disclosure in Google Chrome's Enterprise policy implementation exposes sensitive process memory contents to remote attackers who can direct victims to a crafted HTML page. All Chrome desktop releases prior to 150.0.7871.47 are affected. No public exploit code exists and CISA SSVC classifies exploitation status as none, but the high confidentiality impact and zero-privilege-required attack path make prompt patching advisable for enterprise-managed Chrome deployments.

Authentication Bypass Google Suse
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in Google Chrome's Updater component on macOS versions prior to 150.0.7871.47 lets an attacker abuse a use-after-free (CWE-416) via a malicious file to gain the elevated privileges under which the updater runs. Google rates the Chromium severity as High, and the CVSS 3.1 base score is 7.8; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. EPSS is low at 0.13% (3rd percentile), consistent with the SSVC exploitation status of 'none'.

Memory Corruption Google Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-origin data leakage via Chrome's Autofill implementation on Android allows a remote attacker with prior renderer process compromise to extract sensitive data across origin boundaries using a crafted HTML page. Affected versions are all Chrome for Android releases prior to 150.0.7871.47. No public exploit code has been identified and the EPSS score of 0.21% (11th percentile) reflects low observed exploitation activity; however, the cross-origin data exposure (CWE-346) combined with Autofill access creates meaningful privacy risk for users on vulnerable Android builds. Google has released a patch in the stable channel update.

Information Disclosure Google Suse
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Uninitialized Use in Dawn in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Information Disclosure Google Suse
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Privilege escalation in Google Chrome's Extensions subsystem before version 150.0.7871.47 lets an attacker who has already compromised the renderer process break out of that context and gain elevated privileges by delivering a crafted HTML page. Google rates the Chromium severity as High, and the assigned CVSS is 7.5 (AV:N/AC:H). There is no public exploit identified at time of analysis, EPSS is low (0.21%, 11th percentile), and CISA's SSVC framework records exploitation status as none, indicating this is currently a patch-and-move-on issue rather than an active threat.

Privilege Escalation Google Suse
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Use after free in Glic in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Memory Corruption Denial Of Service Use After Free +2
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Inappropriate implementation in Extensions in Google Chrome on Android prior to 150.0.7871.47 allowed an attacker who convinced a user to install a malicious extension to bypass same origin policy via a crafted Chrome Extension. (Chromium security severity: High)

Authentication Bypass Google Suse
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome desktop versions prior to 150.0.7871.47 stems from a use-after-free in the Canvas component, letting a remote attacker run arbitrary code within the renderer sandbox when a victim opens a crafted HTML page. The flaw carries a CVSS 8.8 (High) rating and requires user interaction (visiting a malicious page), but no authentication. There is no public exploit identified at time of analysis, and EPSS is low at 0.26% (17th percentile).

Memory Corruption Google Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Out of bounds read in Skia in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Google Buffer Overflow Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Out of bounds read in ANGLE in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)

Google Buffer Overflow Information Disclosure +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome's Passwords subsystem allows a remote attacker to circumvent intended access controls by delivering a crafted HTML page to a user. All Chrome desktop versions prior to 150.0.7871.47 are affected, with integrity rated High by CVSS due to the ability to manipulate navigation behavior. No public exploit exists at time of analysis and EPSS sits at 0.22% (13th percentile), indicating low near-term exploitation probability despite Chrome's enormous global footprint and Chromium's internal 'High' severity classification.

Authentication Bypass Google Suse
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Sandbox escape in Google Chrome versions prior to 150.0.7871.47 stems from insufficient input validation in the Glic component, allowing a remote attacker who lures a victim to a crafted HTML page to potentially break out of the renderer sandbox. The flaw carries a CVSS 8.8 (High) rating and requires user interaction (visiting a malicious page); there is no public exploit identified at time of analysis and EPSS estimates only a 0.21% exploitation probability. A vendor patch is available and the issue is not listed in CISA KEV.

Information Disclosure Google Suse
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome for Android prior to 150.0.7871.47 enables remote attackers to read data from other origins via a crafted HTML page exploiting insufficient validation in the File Input component. The flaw is Android-platform-specific, requiring only that a victim user navigate to an attacker-controlled page. No active exploitation has been confirmed (CISA KEV negative, SSVC exploitation: none), and EPSS at 0.21% (11th percentile) reflects low current exploitation interest, though the unauthenticated, low-complexity attack vector keeps it a relevant patching priority for Android Chrome deployments.

Information Disclosure Google Suse
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome's Blink rendering engine (versions prior to 150.0.7871.47) allows a remote attacker to run arbitrary code inside the renderer sandbox by luring a victim to a crafted HTML page. The flaw is a use-after-free (CWE-416) rated High by Chromium and 8.8 (CVSS 3.1); it requires user interaction (visiting a malicious page) and no privileges. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, with a low EPSS of 0.26% (17th percentile).

Memory Corruption Google Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Heap corruption via a use-after-free in the Views UI component of Google Chrome allows a remote attacker who serves a crafted HTML page and lures a user into performing specific UI gestures to potentially execute code in the browser process. All desktop Chrome builds prior to 150.0.7871.47 are affected; Google rates the Chromium severity as High and has shipped a fix. No public exploit identified at time of analysis, and EPSS is low (0.21%, 11th percentile).

Memory Corruption Denial Of Service Use After Free +2
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome for iOS prior to 150.0.7871.47 lets a remote attacker who has already compromised the renderer process break out of the sandbox via a crafted HTML page, escalating from renderer-level code execution to broader access on the device. The flaw stems from insufficient policy enforcement (CWE-20) and carries a High Chromium severity rating with a CVSS 8.3 (scope-changed) score. There is no public exploit identified at time of analysis and it is not in CISA KEV; EPSS probability is low at 0.21% (11th percentile).

Information Disclosure Apple Google +1
NVD VulDB
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Universal Cross-Site Scripting (UXSS) in Google Chrome for iOS prior to 150.0.7871.47 enables a remote attacker to inject arbitrary scripts or HTML across origins by exploiting insufficient input validation triggered through specific user UI gestures on a crafted page. The scope change (S:C in CVSS) is the critical dimension here - successful exploitation bypasses the same-origin policy, potentially granting the attacker script execution in the context of arbitrary origins within the browser session. No public exploit code has been identified and EPSS sits at just 0.20% (11th percentile), indicating low observed exploitation activity despite the high-impact class of vulnerability.

Code Injection Apple Google +1
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Renderer-process remote code execution in Google Chrome desktop before 150.0.7871.47 stems from a use-after-free in the Input Method Editor (IME) component, letting a remote attacker run arbitrary code within the browser's sandbox when a victim visits a crafted HTML page. Rated High by Chromium and CVSS 8.8, it requires user interaction (visiting a page) but no authentication. No public exploit identified at time of analysis, and the EPSS score is low (0.26%, 17th percentile), indicating no evidence of widespread exploitation yet.

Memory Corruption Google Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Memory disclosure in Google Chrome for Linux (prior to 150.0.7871.47) allows a remote attacker to read sensitive contents from the browser's process memory by directing a user to a crafted HTML page. The flaw stems from an inappropriate implementation in Chrome's input handling subsystem, and is platform-specific - only Linux builds are affected. No public exploit code or CISA KEV listing has been identified at the time of analysis, but the network-reachable, zero-authentication attack path and high confidentiality impact make patching a near-term priority for Linux desktop environments.

Google Information Disclosure Suse
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Side-channel information leakage in Safe Browsing in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Information Disclosure Apple Google +1
NVD VulDB
EPSS 0% CVSS 4.6
MEDIUM PATCH This Month

Sensitive process memory exposure in Google Chrome for iOS prior to 150.0.7871.47 enables a physically present attacker to read potentially sensitive data from the browser's memory without authentication. The root cause is insufficient data validation (CWE-20) within the iOS-specific Chrome implementation. No public exploit code or CISA KEV listing has been identified at time of analysis, and the physical access requirement (CVSS AV:P) significantly constrains real-world attacker opportunity.

Information Disclosure Apple Google +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Google Chrome on iOS prior to 150.0.7871.47 stems from a use-after-free in the browser's Import component, allowing a remote attacker who lures a victim into opening a malicious file and performing specific UI gestures to execute arbitrary code. Rated High by Chromium and CVSS 7.5, the flaw has no public exploit identified at time of analysis and a low EPSS of 0.24% (15th percentile), consistent with its high attack complexity and required user interaction. A vendor patch is available in the June 2026 Stable channel update.

Memory Corruption Google Apple +4
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Insufficient validation of untrusted input in Accessibility in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)

Authentication Bypass Google Suse
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome for macOS prior to 150.0.7871.47 stems from a use-after-free in the GFX (graphics) component, allowing a remote attacker to run arbitrary code after a victim opens a crafted HTML page. Chromium rates the severity High and the CVSS is 8.8, but exploitation requires user interaction (visiting a malicious page). There is no public exploit identified at time of analysis and EPSS is low (0.26%, 17th percentile), indicating no observed weaponization yet.

Memory Corruption Google Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome's Chromecast component (versions before 150.0.7871.47) lets an attacker who has already compromised the renderer process break out of the browser sandbox and reach the host via a crafted HTML page. Rooted in a use-after-free (CWE-416) memory-corruption bug rated High by Chromium, it carries a CVSS 8.3 driven by a scope change and full CIA impact, but requires a pre-existing renderer compromise, high attack complexity, and user interaction. No public exploit identified at time of analysis, and the low EPSS (0.21%) plus SSVC 'exploitation: none' indicate it is not currently being exploited.

Memory Corruption Denial Of Service Use After Free +2
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Sandbox escape in Google Chrome desktop before 150.0.7871.47 lets a remote attacker who has already compromised the renderer process escalate out of the sandbox via a crafted HTML page that triggers a type-confusion bug (CWE-843) in the Tabs component. Exploitation is gated behind prior renderer compromise and user interaction, and the flaw is rated High by Chromium with a CVSS 8.3 due to scope change and total impact. There is no public exploit identified at time of analysis, EPSS is low (0.23%, 13th percentile), and CISA SSVC lists exploitation as none.

Memory Corruption Information Disclosure Google +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Google Chrome (Views UI component) prior to 150.0.7871.47 allows a remote attacker to execute arbitrary code by luring a victim to a crafted HTML page and inducing specific UI gestures that trigger a use-after-free. Rated High by Chromium and CVSS 7.5, the flaw is elevated in complexity by its requirement for user interaction, and no public exploit has been identified at time of analysis; EPSS probability is low at 0.26%.

Memory Corruption Google Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Integer overflow in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Buffer Overflow Google Suse
NVD VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

Local privilege escalation in the Google Chrome Updater on Windows (versions prior to 150.0.7871.47) allows a local attacker to gain OS-level privileges by planting a malicious file that the Updater component mishandles. Rated High by Chromium and CVSS 7.8, exploitation requires local access plus user interaction; there is no public exploit identified at time of analysis, and EPSS is low at 0.13% (3rd percentile). A vendor patch is available in the June 2026 Stable Channel release.

Authentication Bypass Privilege Escalation Microsoft +2
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Heap corruption in Google Chrome's QUIC networking stack (versions prior to 150.0.7871.47) stems from a use-after-free that a remote attacker can trigger through crafted network traffic, potentially leading to arbitrary code execution in the affected browser process. Google rated the Chromium security severity as High and has shipped a fixed Stable-channel build; there is no public exploit identified at time of analysis and CISA's SSVC records exploitation status as 'none'. EPSS is low (0.19%, 9th percentile), indicating no observed weaponization despite a total technical-impact rating.

Memory Corruption Denial Of Service Use After Free +2
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome desktop versions prior to 150.0.7871.47 stems from a heap buffer overflow in the Chromecast component, letting an attacker who has already compromised the renderer process break out of the browser sandbox via a crafted HTML page. Rated High by Chromium and CVSS 9.6, but it is a second-stage bug requiring prior renderer control, and there is no public exploit identified at time of analysis (SSVC exploitation: none, EPSS 0.22%). No CISA KEV listing exists, indicating no confirmed active exploitation.

Heap Overflow Buffer Overflow Google +1
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Insufficient validation of untrusted input in Chromecast in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Information Disclosure Google Suse
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome's Chromecast component before 150.0.7871.47 lets an attacker who has already compromised the renderer process break out of the sandbox via a crafted HTML page, escalating from renderer-level code execution to the more privileged browser process. Google rates the Chromium severity High and the CVSS is 9.6 due to the scope change; however, EPSS is only 0.21% (11th percentile) and there is no public exploit identified at time of analysis. A vendor patch is available.

Buffer Overflow Google Suse
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Navigation restriction bypass in Google Chrome for iOS (prior to 150.0.7871.47) permits a remote, unauthenticated attacker to circumvent client-side policy controls by delivering a crafted HTML page to a victim user. The flaw originates from insufficient policy enforcement (CWE-602), where navigation security logic enforced within the browser client can be subverted through malicious web content. No active exploitation has been identified - CISA KEV is not listed, SSVC confirms Exploitation: none, and the EPSS score of 0.22% (13th percentile) reflects minimal real-world exploitation activity at time of analysis.

Authentication Bypass Apple Google +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Remote code execution in Google Chrome on Windows before version 150.0.7871.47 allows an attacker to run arbitrary code by luring a victim to a crafted HTML page and getting them to perform specific UI gestures against the WebAppInstalls component. Chromium rates the flaw High severity; no public exploit identified at time of analysis, and the EPSS probability is low (0.26%, 17th percentile), indicating the attack is not yet broadly commoditized despite the serious impact.

RCE Microsoft Google +1
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-origin data leakage in Google Chrome's SVG rendering subsystem (versions prior to 150.0.7871.47) allows remote attackers to exfiltrate sensitive information from other origins by directing victims to a crafted HTML page. The root cause is insufficient policy enforcement in SVG handling, classified as CWE-346 (Origin Validation Error), effectively bypassing Same-Origin Policy protections. No public exploit has been identified at time of analysis, and EPSS places exploitation probability at 0.21% (11th percentile), indicating low near-term exploitation likelihood despite a CVSS confidentiality impact rated High.

Information Disclosure Google Suse
NVD VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Sandbox escape in Google Chrome for macOS versions prior to 150.0.7871.47 stems from a use-after-free in the Touchbar component, letting a remote attacker who lures a victim to a crafted HTML page potentially break out of the renderer sandbox. Reported through Google's internal Chrome security process and rated High by Chromium, it carries a CVSS 9.6 due to scope change and full CIA impact, though there is no public exploit identified at time of analysis and EPSS exploitation probability is low at 0.21%. SSVC assesses current exploitation as none, indicating this is a patch-now-but-not-panic item.

Memory Corruption Denial Of Service Use After Free +2
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Arbitrary code execution in Google Chrome desktop before 150.0.7871.47 arises from insufficient input validation in the Downloads component, letting a crafted Chrome extension break out of its intended sandbox constraints. An attacker who first convinces a victim to install a malicious extension can leverage the flaw to run arbitrary code, which Chromium rates High severity. No public exploit has been identified at time of analysis and EPSS is low (0.15%, 5th percentile), indicating no observed widespread exploitation.

RCE Google Suse
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Side-channel information leakage via Chrome's Scroll implementation exposes cross-origin data to remote attackers who can lure a victim to a crafted HTML page. All Chrome versions prior to 150.0.7871.47 are affected; exploitation requires user interaction (visiting the attacker-controlled page) but no authentication. No public exploit identified at time of analysis and EPSS sits at the 11th percentile, though the confidentiality impact is rated High by NVD given the potential to read data from foreign origins.

Information Disclosure Google Suse
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome for Android before 150.0.7871.47 stems from a use-after-free in the Fullscreen component, letting a remote attacker who lures a victim to a crafted HTML page corrupt memory and run arbitrary code in the renderer. Chromium rates the flaw Critical, though CVSS scores it 8.8 because exploitation requires the victim to open the malicious page. There is no public exploit identified at time of analysis, and the EPSS probability is low (0.26%, 17th percentile), with CISA SSVC showing no known exploitation.

Memory Corruption Google Denial Of Service +3
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Remote code execution in Google Chrome's Chromoting (Chrome Remote Desktop) component on Windows affects all desktop builds prior to 150.0.7871.47, where a use-after-free (CWE-416) lets a remote attacker corrupt memory via malicious network traffic. Google rates the Chromium severity Critical, and a vendor patch is available, but there is no public exploit identified at time of analysis and EPSS is low at 0.24%. High attack complexity (AC:H) means the memory-corruption race is non-trivial to win reliably, tempering the CVSS 8.1 score.

Memory Corruption Google Microsoft +4
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Remote code execution in Google Chrome's Ozone platform-abstraction layer prior to 150.0.7871.47 lets a remote attacker execute arbitrary code by luring a victim to a crafted HTML page. The flaw is a use-after-free (CWE-416) rated Critical by Chromium and CVSS 8.8, requiring the victim to visit a malicious page (UI:R) but no privileges. No public exploit has been identified at time of analysis and EPSS probability is low (0.26%), but the memory-corruption class and 'total' technical impact make it a high-priority browser patch.

Memory Corruption Google Denial Of Service +3
NVD VulDB
Prev Page 5 of 104 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy