By weakness (CWE)
CWE-472: related vulnerabilities
CVEs classified under CWE-472. Understanding the weakness class helps prioritize systemic fixes over one-off patches.
11 published vulnerabilities
- CVE-2026-10015HIGH 8.8
Google Chrome versions before 148.0.7778.216 contain an integer overflow vulnerability in the WTF (Web Template Framework) component that allows attackers to execute arbitrary code within the browser's sandbox environment. An attacker can exploit this by tricking a user into visiting a specially crafted webpage, leading to potential code execution with the privileges of the browser process.
- CVE-2026-10019HIGH 8.8
A vulnerability in Google Chrome's ANGLE graphics library (versions before 148.0.7778.216) allows attackers to trick users into visiting a malicious webpage that leaks sensitive data from other websites the user is currently viewing. The flaw stems from improper handling of large numbers in memory calculations, which an attacker can exploit to read cross-origin information that should remain isolated. Users on Windows, macOS, and Linux systems running affected Chrome versions are at risk.
- CVE-2026-10963HIGH 8.8
A flaw in Google Chrome's V8 JavaScript engine allows attackers to run malicious code within Chrome's security sandbox by tricking users into visiting a specially crafted webpage. The vulnerability stems from an integer overflow—a mathematical error where a number becomes too large for its storage space—that can be exploited without requiring any special permissions or user complexity beyond clicking a link. While the code executes inside the sandbox rather than directly on the operating system, successful exploitation still enables attackers to potentially steal data, modify information, or degrade browser functionality.
- CVE-2026-10964HIGH 8.8
A flaw in Google Chrome's JavaScript engine (V8) can allow an attacker to run malicious code within the browser's sandbox by tricking a user into visiting a specially crafted webpage. The vulnerability stems from an integer overflow—a type of memory handling error—that undermines the sandbox's security boundary. While the code runs in a confined environment, this still represents a significant security risk because it can be chained with other vulnerabilities to escape the sandbox and compromise the underlying system.
- CVE-2026-10965HIGH 8.8
A vulnerability in Google Chrome's DevTools allows attackers to execute malicious code within Chrome's sandbox by tricking users into visiting a specially crafted webpage. The flaw stems from an integer overflow—a coding error where a number exceeds its maximum value—that can be exploited without requiring special browser settings or elevated permissions. Chrome versions before 149.0.7827.53 are affected.
- CVE-2026-10986HIGH 8.8
A flaw in how Google Chrome processes media files can allow an attacker to execute code within Chrome's sandbox by tricking a user into opening a malicious file. The vulnerability stems from improper handling of numeric values in media processing, creating a window for code execution. While sandboxed, successful exploitation could grant an attacker access to sensitive data or control within the browser process.
- CVE-2026-10987HIGH 8.8
Google Chrome versions before 149.0.7827.53 contain an integer overflow flaw in the V8 JavaScript engine that allows attackers to run malicious code within Chrome's sandbox using a specially crafted webpage. An attacker would need to trick a user into visiting a malicious site, but requires no special privileges or browser plugins. The vulnerability is rated High severity.
- CVE-2026-10921HIGH 8.3
A flaw in Google Chrome's graphics processing library (Dawn) could allow an attacker to break out of the browser's security sandbox if they've already compromised the rendering engine. The vulnerability stems from an integer overflow—a situation where a number calculation wraps around and produces an incorrect value—that could be triggered by a specially crafted webpage. While the attacker would need to have already gained access to the renderer process, successfully exploiting this could grant them the same privileges as the operating system user running Chrome, potentially leading to full system compromise.
- CVE-2026-10924HIGH 8.3
A mathematical error in Chrome's Chromecast component allows an attacker who has already compromised Chrome's rendering engine to break out of the browser sandbox and gain full system access. The attacker needs to trick a user into visiting a malicious webpage while the renderer is already compromised. This is a serious vulnerability because sandbox escape means the attacker moves from limited browser permissions to unrestricted control of the entire device.
- CVE-2026-10009HIGH 7.5
A mathematical error in Chrome's graphics rendering engine (Skia) could allow attackers to break out of the browser sandbox and run malicious code if they've already compromised the browser's rendering process. The vulnerability affects Chrome versions before 148.0.7778.216 and requires user interaction, such as visiting a malicious webpage, to trigger the exploit.
- CVE-2026-10018MEDIUM 6.5
CVE-2026-10018 is a medium-severity integer overflow vulnerability in ANGLE (Almost Native Graphics Layer Engine), Google's graphics abstraction layer used in Chrome. An attacker can craft a malicious webpage that, when visited, causes Chrome to mishandle memory calculations in its graphics pipeline. This flaw allows the attacker to read sensitive data from the browser's process memory—potentially including cached credentials, session tokens, or other confidential information—without modifying or crashing the system. The vulnerability requires user interaction (visiting the malicious page) but does not require special privileges to exploit.