By vendor

Apple vulnerabilities

Known CVEs affecting Apple products, prioritized by severity, with SEC.co remediation and detection guidance.

108 published vulnerabilities · page 1 of 2

  • CVE-2026-10002HIGH 8.8

    A use-after-free memory flaw in PDFium, the PDF rendering engine embedded in Google Chrome, allows attackers to corrupt heap memory by tricking users into opening a specially crafted PDF file. The vulnerability affects Chrome versions before 148.0.7778.216 and requires user interaction to trigger. An attacker exploiting this could achieve code execution with the same privileges as the Chrome process.

  • CVE-2026-10007HIGH 8.8

    Google Chrome versions prior to 148.0.7778.216 contain a use-after-free memory safety flaw in SVG rendering that allows attackers to execute arbitrary code within the browser's sandbox by tricking users into visiting a malicious webpage. An attacker needs only to craft a deceptive HTML page and convince a user to open it—no special privileges or complex interaction are required beyond the initial click.

  • CVE-2026-10013HIGH 8.8

    A use-after-free vulnerability exists in Google Chrome's WebCodecs component that could allow an attacker to run malicious code within Chrome's sandbox by tricking a user into visiting a specially crafted website. The vulnerability affects Chrome versions before 148.0.7778.216 and requires user interaction (clicking a link or visiting a page) to be exploited. While the code execution occurs within the sandbox, this still represents a significant security risk as sandbox escapes are a known attack progression path.

  • CVE-2026-10015HIGH 8.8

    Google Chrome versions before 148.0.7778.216 contain an integer overflow vulnerability in the WTF (Web Template Framework) component that allows attackers to execute arbitrary code within the browser's sandbox environment. An attacker can exploit this by tricking a user into visiting a specially crafted webpage, leading to potential code execution with the privileges of the browser process.

  • CVE-2026-10016HIGH 8.8

    A use-after-free flaw exists in Google Chrome's DOM implementation that allows an attacker to execute code within the browser's sandbox by tricking a user into visiting a malicious website. The vulnerability affects Chrome versions before 148.0.7778.216 and requires user interaction (clicking a link or opening a page) but does not require any special permissions or account privileges.

  • CVE-2026-10019HIGH 8.8

    A vulnerability in Google Chrome's ANGLE graphics library (versions before 148.0.7778.216) allows attackers to trick users into visiting a malicious webpage that leaks sensitive data from other websites the user is currently viewing. The flaw stems from improper handling of large numbers in memory calculations, which an attacker can exploit to read cross-origin information that should remain isolated. Users on Windows, macOS, and Linux systems running affected Chrome versions are at risk.

  • CVE-2026-10021HIGH 8.8

    Google Chrome versions before 148.0.7778.216 contain a vulnerability in USB input handling that allows attackers to execute arbitrary code on a user's computer by tricking them into visiting a malicious website. The flaw stems from insufficient validation of untrusted data, meaning Chrome doesn't properly check or sanitize input before processing it through the USB subsystem. An attacker would need to craft a deceptive HTML page and convince a user to visit it, but once clicked, the attack requires no special privileges and can fully compromise the affected system.

  • CVE-2026-10882HIGH 8.8

    Google Chrome contains a use-after-free vulnerability in its network handling code that can allow attackers to execute arbitrary code on a user's system. The flaw affects Chrome versions prior to 149.0.7827.53 and is triggered when a victim visits a specially crafted webpage. Because successful exploitation requires user interaction (visiting a malicious site), the attack surface is primarily limited to social engineering scenarios, though the browser's ubiquity makes this a meaningful threat.

  • CVE-2026-10883HIGH 8.8

    A type confusion vulnerability in Google Chrome's ANGLE graphics library allows attackers to corrupt heap memory through specially crafted web pages. The flaw requires user interaction (visiting a malicious site) but can lead to complete system compromise—confidentiality, integrity, and availability are all at risk. Chrome versions before 149.0.7827.53 are affected.

  • CVE-2026-10885HIGH 8.8

    A use-after-free vulnerability exists in Chrome for iOS that allows attackers to execute arbitrary code on an iPhone or iPad by tricking users into visiting a malicious webpage. The flaw affects Google Chrome on iOS versions before 149.0.7827.53. Because it requires user interaction (clicking a link or viewing a page) but needs no special privileges, it poses a meaningful risk to mobile users, particularly if weaponized through social engineering or drive-by downloads.

  • CVE-2026-10888HIGH 8.8

    Google Chrome versions before 149.0.7827.53 contain a use-after-free memory vulnerability in the Cast Streaming feature that allows attackers on your local network to run arbitrary code on affected machines. An attacker doesn't need valid credentials or user interaction to exploit this—just the ability to send crafted network traffic to a vulnerable Chrome instance. This is a serious vulnerability because it bridges network access to code execution on systems within the same network segment.

  • CVE-2026-10890HIGH 8.8

    Google Chrome contains a use-after-free vulnerability in its Cast functionality that could allow an attacker on your local network to corrupt the browser's memory and potentially execute malicious code. The flaw affects Chrome versions prior to 149.0.7827.53 and requires no user interaction to trigger—an attacker simply needs to send specially crafted network traffic to exploit it. This is a local network attack vector, meaning the attacker must be on the same network segment as the target system.

  • CVE-2026-10893HIGH 8.8

    A use-after-free memory vulnerability exists in Google Chrome's Chromoting remote desktop feature that could allow an attacker to run malicious code on a victim's computer through specially crafted network traffic. The flaw affects Chrome versions before 149.0.7827.53 and requires user interaction to trigger. The vulnerability has been assigned a CVSS score of 8.8 (High severity).

  • CVE-2026-10895HIGH 8.8

    A use-after-free vulnerability in Chrome's Ozone component allows attackers to run arbitrary code on a user's computer by tricking them into visiting a malicious website. The flaw exists in versions of Chrome before 149.0.7827.53 and requires user interaction (clicking a link, visiting a page) but no special privileges. Once exploited, an attacker gains full control over the affected browser process and potentially the underlying system.

  • CVE-2026-10896HIGH 8.8

    A use-after-free vulnerability in Chrome for iOS allows attackers to execute arbitrary code on affected devices when a user visits a malicious website. The flaw exists in memory management within Chrome's iOS implementation and does not require any special user interaction beyond visiting a crafted HTML page. Google has assigned this a Critical severity rating within Chromium's internal severity scale, and CVSS scoring reflects it as HIGH (8.8).

  • CVE-2026-10897HIGH 8.8

    Google Chrome versions prior to 149.0.7827.53 contain a flaw in how the GPU rendering engine handles certain HTML constructs. An attacker can craft a malicious web page that, when visited by a user, exploits this flaw to break out of Chrome's security sandbox—the isolation layer that normally prevents malicious code from accessing the underlying operating system. This is a serious issue because sandbox escapes give attackers direct access to your computer's resources, files, and credentials.

  • CVE-2026-10902HIGH 8.8

    A use-after-free memory vulnerability exists in Chrome's Ozone component that allows attackers to execute arbitrary code by tricking users into visiting a specially crafted webpage. The flaw requires user interaction (clicking a link or visiting a site) but poses a critical threat because successful exploitation grants full control over the browser process and potentially the underlying system.

  • CVE-2026-10903HIGH 8.8

    A use-after-free vulnerability exists in Google Chrome's WebRTC implementation that allows an attacker to execute arbitrary code within Chrome's sandbox by convincing a user to visit a malicious website. The vulnerability affects Chrome versions prior to 149.0.7827.53 and can lead to complete compromise of the browser process, including reading sensitive data, modifying content, and disrupting availability.

  • CVE-2026-10904HIGH 8.8

    Google Chrome versions prior to 149.0.7827.53 contain a flaw in the V8 JavaScript engine that allows attackers to break out of the browser sandbox and run malicious code with full privileges. An attacker can exploit this by tricking a user into visiting a specially crafted website. Once triggered, the vulnerability bypasses Chrome's security boundary—the sandbox that normally isolates web content from the rest of the system—giving an attacker direct access to execute arbitrary code on the victim's machine.

  • CVE-2026-10907HIGH 8.8

    A memory safety vulnerability in Google Chrome's ANGLE rendering library allows an attacker to craft a malicious webpage that, when visited by a user, could corrupt the browser's memory heap. This out-of-bounds write flaw can lead to code execution with the privileges of the user running Chrome. The vulnerability requires user interaction—someone must visit the compromised or attacker-controlled page—but needs no special browser configuration or user permissions to trigger the exploit.

  • CVE-2026-10910HIGH 8.8

    Google Chrome contains a type confusion vulnerability in its V8 JavaScript engine that allows an attacker to execute arbitrary code within the browser's sandbox by sending a specially crafted HTML page to a user. The vulnerability requires user interaction (clicking a link or visiting a malicious site) but no special privileges. Once exploited, an attacker gains the ability to run code inside the sandbox, potentially leading to data theft, credential capture, or lateral movement to the underlying system.

  • CVE-2026-10922HIGH 8.8

    CVE-2026-10922 is a same-origin policy bypass vulnerability in Google Chrome's Developer Tools that allows an attacker to access data or perform actions they normally shouldn't be able to. The flaw stems from inadequate validation of untrusted input, meaning malicious network traffic can exploit it if a user performs certain interactions with the DevTools interface. While the attack requires user interaction, it carries significant impact—unauthorized access to sensitive information, unauthorized modifications, or disruption of services are all possible. The vulnerability affects Chrome versions prior to 149.0.7827.53 across Windows, macOS, and Linux systems.

  • CVE-2026-10926HIGH 8.8

    A use-after-free vulnerability exists in Google Chrome's Cast functionality that allows an attacker positioned on the same local network to execute arbitrary code on an affected system. The flaw requires no user interaction and can be triggered through specially crafted network traffic. This is a local network attack with high impact—an attacker gaining code execution can read sensitive data, modify system files, and disrupt operations.

  • CVE-2026-10928HIGH 8.8

    A script injection vulnerability in Google Chrome's Headless mode allows attackers to execute arbitrary code on a user's system through a malicious HTML page. The flaw requires user interaction—specifically, the victim must open a crafted webpage in an affected Chrome version—but once triggered, an attacker gains the same privileges as the user running the browser, including the ability to read files, modify data, or install malware.

  • CVE-2026-10935HIGH 8.8

    A type confusion vulnerability in Google Chrome's V8 JavaScript engine allows attackers to execute arbitrary code within the browser's sandbox by tricking users into visiting a malicious website. The vulnerability affects Chrome versions prior to 149.0.7827.53 and requires user interaction (clicking a link or visiting a page). While the code executes within the sandbox, successful exploitation could allow attackers to read, modify, or delete user data accessible to the browser.

  • CVE-2026-10936HIGH 8.8

    A type confusion flaw in Chrome's V8 JavaScript engine allows attackers to execute arbitrary code within the browser's sandbox by tricking users into viewing a specially crafted webpage. The vulnerability requires user interaction (clicking a link or visiting a site) but no authentication or special privileges. Successful exploitation could give an attacker the ability to run malicious code with the same permissions as the Chrome process.

  • CVE-2026-10939HIGH 8.8

    A use-after-free vulnerability exists in Google Chrome's WebRTC component that allows an attacker to execute arbitrary code within Chrome's sandbox by tricking a user into visiting a malicious webpage. The vulnerability affects Chrome versions prior to 149.0.7827.53 across Windows, macOS, and Linux. While the exploit requires user interaction (clicking a link or visiting a site), the impact is severe: an attacker gains code execution within the browser process.

  • CVE-2026-10941HIGH 8.8

    A memory access vulnerability in the Skia graphics engine used by Google Chrome allows attackers to run malicious code within Chrome's sandbox by tricking users into visiting a specially crafted webpage. The attack requires user interaction (clicking a link or visiting a site) but needs no special privileges. While the code runs in a sandbox environment, successful exploitation could compromise data confidentiality, integrity, and availability within that isolated context.

  • CVE-2026-10943HIGH 8.8

    A use-after-free vulnerability exists in Google Chrome's WebRTC component that allows attackers to execute arbitrary code within the browser's sandbox. An attacker can exploit this by crafting a malicious HTML page that, when visited by a user, triggers the vulnerability. Although the code execution occurs in a sandbox (limiting direct system access), the vulnerability has a CVSS score of 8.8, indicating it poses a significant risk to confidentiality, integrity, and availability. Chrome versions before 149.0.7827.53 are affected.

  • CVE-2026-10945HIGH 8.8

    A use-after-free vulnerability exists in Google Chrome's PDF handling that allows attackers to execute code within Chrome's sandbox if they can trick a user into performing specific UI interactions with a malicious PDF file. The vulnerability affects Chrome versions prior to 149.0.7827.53 across Windows, macOS, and Linux systems.

  • CVE-2026-10947HIGH 8.8

    A use-after-free bug in Google Chrome's WebRTC implementation allows attackers to execute arbitrary code within the browser's sandbox by serving a specially crafted webpage. The vulnerability affects Chrome versions before 149.0.7827.53 and requires user interaction—the victim must visit a malicious page—but once triggered, it grants an attacker near-complete control over the isolated browser process. This is a memory safety issue where freed memory is incorrectly accessed, a common source of high-impact browser exploits.

  • CVE-2026-10948HIGH 8.8

    A use-after-free vulnerability exists in Google Chrome's WebRTC implementation that allows attackers to run malicious code within the browser's sandbox by tricking users into visiting a crafted webpage. The attacker needs user interaction (clicking a link or visiting a malicious site) but requires no special privileges or system access to exploit it. Once triggered, the vulnerability grants full read, write, and execution capabilities within the sandboxed Chrome process.

  • CVE-2026-10951HIGH 8.8

    A use-after-free flaw in Chrome's Autofill feature on iOS allows attackers to corrupt device memory if a user is tricked into performing specific interactions with a malicious webpage. The vulnerability requires user interaction but can lead to complete system compromise—reading sensitive data, modifying files, or crashing the browser.

  • CVE-2026-10952HIGH 8.8

    A use-after-free vulnerability in Google Chrome for iOS allows attackers to corrupt memory on affected iPhones by tricking users into visiting a malicious website. The flaw exists in how Chrome handles certain objects in memory after they've been freed, leaving dangling references that an attacker can manipulate through a crafted HTML page. If successfully exploited, this could lead to arbitrary code execution on the victim's device.

  • CVE-2026-10954HIGH 8.8

    A use-after-free memory safety bug in Google Chrome's Actor component allows attackers to run malicious code within the browser's sandbox by tricking users into visiting a specially crafted web page. The vulnerability affects Chrome versions before 149.0.7827.53 and requires user interaction—specifically clicking a link or visiting a malicious site—but no special privileges. Once triggered, an attacker gains the ability to read, modify, or delete data and potentially escape the sandbox to affect the underlying operating system.

  • CVE-2026-10956HIGH 8.8

    Google Chrome versions before 149.0.7827.53 contain a use-after-free vulnerability in the MimeHandlerView component that could allow an attacker to run malicious code within Chrome's sandbox. An attacker would need to trick a user into visiting a specially crafted webpage to trigger the flaw. If successful, the attacker could gain code execution inside the sandboxed process, potentially compromising user data or enabling further system compromise depending on sandbox escape possibilities.

  • CVE-2026-10957HIGH 8.8

    A use-after-free flaw in Chrome's Glic component allows attackers to execute malicious code within the browser's sandbox by tricking users into visiting a specially crafted webpage. The vulnerability requires user interaction but needs no special privileges to exploit. An attacker could gain code execution in a sandboxed context, potentially reading sensitive data or further compromising the system depending on sandbox escape capabilities.

  • CVE-2026-10958HIGH 8.8

    A use-after-free vulnerability exists in Google Chrome for iOS that could allow an attacker to execute arbitrary code on a user's iPhone. The flaw requires tricking a user into performing specific gestures (such as taps or swipes) while viewing a malicious webpage. Once exploited, an attacker gains full control over the browser process, potentially compromising sensitive data, installing malware, or pivoting to other device functions. Google has addressed this issue in Chrome version 149.0.7827.53 and later.

  • CVE-2026-10962HIGH 8.8

    A type confusion vulnerability in Google Chrome's media handling allows attackers to execute malicious code within the browser's sandbox through a specially crafted webpage. The vulnerability requires user interaction (visiting a malicious page) but poses significant risk because it bypasses browser security boundaries. Chrome versions prior to 149.0.7827.53 are affected across Windows, macOS, and Linux platforms.

  • CVE-2026-10963HIGH 8.8

    A flaw in Google Chrome's V8 JavaScript engine allows attackers to run malicious code within Chrome's security sandbox by tricking users into visiting a specially crafted webpage. The vulnerability stems from an integer overflow—a mathematical error where a number becomes too large for its storage space—that can be exploited without requiring any special permissions or user complexity beyond clicking a link. While the code executes inside the sandbox rather than directly on the operating system, successful exploitation still enables attackers to potentially steal data, modify information, or degrade browser functionality.

  • CVE-2026-10964HIGH 8.8

    A flaw in Google Chrome's JavaScript engine (V8) can allow an attacker to run malicious code within the browser's sandbox by tricking a user into visiting a specially crafted webpage. The vulnerability stems from an integer overflow—a type of memory handling error—that undermines the sandbox's security boundary. While the code runs in a confined environment, this still represents a significant security risk because it can be chained with other vulnerabilities to escape the sandbox and compromise the underlying system.

  • CVE-2026-10965HIGH 8.8

    A vulnerability in Google Chrome's DevTools allows attackers to execute malicious code within Chrome's sandbox by tricking users into visiting a specially crafted webpage. The flaw stems from an integer overflow—a coding error where a number exceeds its maximum value—that can be exploited without requiring special browser settings or elevated permissions. Chrome versions before 149.0.7827.53 are affected.

  • CVE-2026-10975HIGH 8.8

    A use-after-free vulnerability in Google Chrome's WebRTC component allows an attacker to execute arbitrary code within the Chrome sandbox by tricking a user into visiting a specially crafted website. The vulnerability affects Chrome versions prior to 149.0.7827.53 and requires user interaction—specifically clicking a link or visiting a malicious page—but does not require any special privileges. Once exploited, an attacker gains the ability to run code with the same permissions as the Chrome process, potentially compromising sensitive data or escalating further.

  • CVE-2026-10982HIGH 8.8

    A use-after-free flaw in Google Chrome's WebXR implementation allows attackers to run malicious code within the browser's sandbox by tricking users into visiting a specially crafted webpage. The vulnerability affects Chrome versions before 149.0.7827.53 on Windows, macOS, and Linux. While sandboxed, successful exploitation could compromise user data and enable further attacks. User interaction (clicking a link or visiting a site) is required to trigger the vulnerability.

  • CVE-2026-10986HIGH 8.8

    A flaw in how Google Chrome processes media files can allow an attacker to execute code within Chrome's sandbox by tricking a user into opening a malicious file. The vulnerability stems from improper handling of numeric values in media processing, creating a window for code execution. While sandboxed, successful exploitation could grant an attacker access to sensitive data or control within the browser process.

  • CVE-2026-10987HIGH 8.8

    Google Chrome versions before 149.0.7827.53 contain an integer overflow flaw in the V8 JavaScript engine that allows attackers to run malicious code within Chrome's sandbox using a specially crafted webpage. An attacker would need to trick a user into visiting a malicious site, but requires no special privileges or browser plugins. The vulnerability is rated High severity.

  • CVE-2026-10991HIGH 8.8

    Google Chrome contains a use-after-free memory vulnerability in its V8 JavaScript engine that can allow an attacker to run malicious code within Chrome's sandbox. The flaw requires user interaction—specifically, the victim must perform certain UI gestures (like clicking or interacting with specific page elements) while viewing a specially crafted webpage. Once triggered, the vulnerability could allow code execution with the privileges of the Chrome process, potentially compromising the user's browsing session and data. This affects Chrome versions prior to 149.0.7827.53 across Windows, macOS, and Linux systems.

  • CVE-2026-11003HIGH 8.8

    Google Chrome versions before 149.0.7827.53 contain a use-after-free vulnerability in its WebRTC component that could allow an attacker to run arbitrary code within Chrome's sandbox by tricking a user into visiting a malicious web page. While the underlying flaw is rated Medium severity by Chromium, the CVSS score reflects the practical impact: network delivery with minimal user friction and full compromise of confidentiality, integrity, and availability within the sandboxed process.

  • CVE-2026-11024HIGH 8.8

    A stack buffer overflow vulnerability exists in the Skia graphics library, which is used by Google Chrome. An attacker could craft a malicious HTML page that, when viewed by a user, potentially corrupts stack memory and compromises the browser process. The vulnerability requires user interaction (visiting a malicious webpage) but presents significant risk because it can lead to code execution with the privileges of the Chrome process. Google Chrome versions prior to 149.0.7827.53 are affected.

  • CVE-2026-11030HIGH 8.8

    Google Chrome versions prior to 149.0.7827.53 contain a use-after-free vulnerability in the Network component that can be triggered by malicious network traffic. An attacker who crafts and delivers hostile network packets to a user's browser could potentially corrupt the heap memory, leading to code execution with the privileges of the browser process. User interaction (such as visiting a malicious website or receiving crafted network data) is required for exploitation.

  • CVE-2026-10001HIGH 8.3

    A use-after-free flaw in Chrome's PerformanceManager could let an attacker escape the browser sandbox if they've already compromised the rendering engine. The attack requires a specially crafted web page and user interaction, but success could grant full system access. This affects Chrome versions before 148.0.7778.216.

  • CVE-2026-10012HIGH 8.3

    A use-after-free flaw in Chrome's Skia graphics library allows an attacker who controls the browser's renderer process to escape the sandbox and execute arbitrary code on the underlying system. The attack requires a malicious HTML page and user interaction, but once the renderer is compromised, the vulnerability enables full system compromise. This is particularly dangerous because renderer exploits are common entry points; this flaw raises the stakes by providing a bridge from that compromised renderer to the host OS.

  • CVE-2026-10884HIGH 8.3

    A use-after-free memory vulnerability exists in Google Chrome's Chromecast component that could allow an attacker to escape the browser's sandbox if the attacker has already compromised the renderer process. The vulnerability requires user interaction and specific browser conditions, but successful exploitation could grant an attacker unauthorized access to the host system. Google has assigned this a Critical severity rating within Chromium's threat model.

  • CVE-2026-10889HIGH 8.3

    A memory reading flaw in Chrome's ANGLE graphics library can let an attacker who has already gained control of the browser's rendering process break out of the Chrome sandbox and access the underlying system. The attack requires a specially crafted web page and user interaction, but once the renderer is compromised, this vulnerability opens a direct path to full system compromise. Chrome versions before 149.0.7827.53 are affected.

  • CVE-2026-10898HIGH 8.3

    A stack buffer overflow vulnerability exists in the GPU component of Google Chrome versions prior to 149.0.7827.53. An attacker who has already compromised Chrome's renderer process can exploit this flaw through a malicious HTML page to break out of the browser sandbox and gain system-level code execution. While the attacker must first compromise the renderer—typically through a separate browser vulnerability or social engineering—the sandbox escape itself represents a critical escalation path that transforms a contained compromise into full system compromise.

  • CVE-2026-10905HIGH 8.3

    A memory safety flaw in Google Chrome's network code allows an attacker who has already compromised the browser's renderer process to escape the sandbox and gain full system access. The vulnerability requires user interaction (opening a malicious HTML page) but poses significant risk because successful exploitation bypasses Chrome's core security boundary—the sandbox that isolates the browser from the operating system.

  • CVE-2026-10909HIGH 8.3

    A use-after-free vulnerability in Google Chrome's Dawn graphics engine allows an attacker who has already compromised the browser's renderer process to escape the sandbox through a malicious webpage. This is a high-severity issue because it bridges two separate security boundaries—first gaining control within Chrome's renderer, then breaking out to execute arbitrary code on the underlying operating system.

  • CVE-2026-10911HIGH 8.3

    CVE-2026-10911 is a sandbox escape vulnerability in Google Chrome that allows a remote attacker to break out of the browser's security sandbox if they have already compromised the renderer process. The attack requires crafted HTML content and user interaction, but once successful, it grants an attacker full system access. This is a chained attack scenario: an attacker must first compromise the renderer (the part of Chrome that displays web content) through a separate vulnerability, then use this flaw to escape the sandbox and gain control of the underlying system.

  • CVE-2026-10915HIGH 8.3

    A use-after-free memory vulnerability exists in Google Chrome on iOS that allows an attacker who has already compromised the browser's renderer process to break out of the sandbox and gain deeper system access. The vulnerability requires the attacker to serve a specially crafted HTML page and involves a complex attack chain but poses severe risk because successful exploitation can lead to full compromise of the device. Chrome versions prior to 149.0.7827.53 on iOS are affected.

  • CVE-2026-10917HIGH 8.3

    Google Chrome versions before 149.0.7827.53 contain a media handling flaw that allows an attacker who has already compromised the browser's renderer process to escape the sandbox and gain broader system access. The vulnerability requires user interaction (visiting a specially crafted webpage) but poses a significant risk because renderer compromises are common entry points in real attacks. Once inside the renderer, the flaw gives an attacker a path to elevated privileges on the underlying operating system.

  • CVE-2026-10918HIGH 8.3

    A use-after-free vulnerability in Google Chrome's Viz component allows an attacker who has already compromised the browser's renderer process to potentially escape the sandbox and gain deeper system access. The attacker would need to trick a user into visiting a malicious webpage, but the actual exploitation requires prior renderer compromise, making this a multi-stage attack. While not currently known to be exploited in the wild, the vulnerability represents a meaningful privilege escalation path for sophisticated threat actors who have achieved initial browser process compromise.

  • CVE-2026-10919HIGH 8.3

    A use-after-free bug in Chrome's ANGLE graphics library before version 149.0.7827.53 allows an attacker who already controls the browser's rendering process to break out of the sandbox and gain full system access. The attacker must trick a user into visiting a malicious webpage, but once the renderer is compromised, this flaw provides a path to escape Chrome's isolation boundaries.

  • CVE-2026-10920HIGH 8.3

    A validation flaw in Chrome's WebShare feature on macOS allows an attacker who has already compromised the browser's renderer process to break out of the sandbox through a specially crafted webpage. This is a post-compromise privilege escalation risk—the attacker must first gain code execution within the renderer, but if successful, can gain full system access. Chrome versions before 149.0.7827.53 are affected.

  • CVE-2026-10921HIGH 8.3

    A flaw in Google Chrome's graphics processing library (Dawn) could allow an attacker to break out of the browser's security sandbox if they've already compromised the rendering engine. The vulnerability stems from an integer overflow—a situation where a number calculation wraps around and produces an incorrect value—that could be triggered by a specially crafted webpage. While the attacker would need to have already gained access to the renderer process, successfully exploiting this could grant them the same privileges as the operating system user running Chrome, potentially leading to full system compromise.

  • CVE-2026-10924HIGH 8.3

    A mathematical error in Chrome's Chromecast component allows an attacker who has already compromised Chrome's rendering engine to break out of the browser sandbox and gain full system access. The attacker needs to trick a user into visiting a malicious webpage while the renderer is already compromised. This is a serious vulnerability because sandbox escape means the attacker moves from limited browser permissions to unrestricted control of the entire device.

  • CVE-2026-10925HIGH 8.3

    A memory corruption flaw exists in the Skia graphics library within Google Chrome on macOS. An attacker who has already compromised Chrome's renderer process can exploit this out-of-bounds write to break out of the browser sandbox and gain system-level access. The attack requires user interaction (visiting a malicious webpage) but bypasses Chrome's primary security boundary once the renderer is under attacker control.

  • CVE-2026-10927HIGH 8.3

    A memory reading flaw in Google Chrome's graphics component (Dawn) prior to version 149.0.7827.53 allows attackers who have already compromised the browser's renderer process to escape the sandbox through a specially crafted webpage. This is a two-stage attack: first an attacker must find a way into the renderer, then this vulnerability allows them to break out entirely.

  • CVE-2026-10949HIGH 8.3

    A heap buffer overflow vulnerability in Google Chrome's video handling component allows an attacker who has already compromised Chrome's renderer process to escape the browser sandbox and gain system-level access. The attacker would need to craft a malicious HTML page to trigger the overflow, but exploitation requires the renderer to be already compromised—making this a post-compromise escape vector rather than a direct attack from an untrusted webpage. Chrome versions before 149.0.7827.53 are vulnerable on Windows, macOS, and Linux systems.

  • CVE-2026-10960HIGH 8.3

    CVE-2026-10960 is a sandbox escape vulnerability in Google Chrome's video codec handling. An attacker who has already compromised Chrome's renderer process—the sandboxed component responsible for processing web content—can exploit an uninitialized variable in the codec logic to break out of the sandbox and gain full system access. The attack requires a crafted HTML page and user interaction, but once the renderer is compromised, the attacker can leverage this flaw to escalate to native code execution outside Chrome's security boundary.

  • CVE-2026-10961HIGH 8.3

    Chrome for iOS users running versions prior to 149.0.7827.53 face a critical sandbox escape vulnerability. A malicious website can exploit a use-after-free memory flaw to break out of Chrome's security sandbox if the attacker first compromises the renderer process—the component that handles webpage content. Once the sandbox is escaped, an attacker gains direct access to the device, potentially leading to theft of credentials, personal data, or malware installation. The vulnerability requires user interaction (visiting a crafted page) but is otherwise remotely exploitable.

  • CVE-2026-10970HIGH 8.3

    Google Chrome versions prior to 149.0.7827.53 contain a vulnerability in how the browser validates input data related to Interest Groups—a feature used for targeted advertising. An attacker who has already compromised Chrome's renderer process (the part that executes web content) can exploit insufficient input validation to break out of the browser's sandbox—the security boundary designed to isolate web content from the rest of your system. This requires the attacker to first gain renderer access and trick a user into visiting a crafted webpage, but if successful, allows full control over the victim's machine.

  • CVE-2026-10887HIGH 8.1

    A use-after-free flaw in Chrome's Chromoting remote desktop feature on macOS allows attackers to execute arbitrary code by sending specially crafted network traffic. The vulnerability exists in versions prior to 149.0.7827.53 and requires no user interaction—an attacker on the network can trigger the bug remotely, making this a critical threat to any Mac user running an affected Chrome version.

  • CVE-2026-10930HIGH 8.1

    An out-of-bounds read vulnerability in ANGLE (the graphics translation layer used by Chrome on macOS) allows attackers to read sensitive memory from your system by tricking you into visiting a malicious website. The flaw affects Chrome versions before 149.0.7827.53 on Apple macOS. While the attacker cannot directly modify data or take control of your system through this specific vulnerability, they can extract confidential information—including passwords, encryption keys, or other sensitive data stored in memory—and cause Chrome to crash.

  • CVE-2026-11011HIGH 8.1

    A flaw in Google Chrome's Password Manager allows an attacker who has already compromised the browser's renderer process to sidestep site isolation—a critical security boundary that prevents one website from accessing data belonging to another. By crafting a malicious HTML page, the attacker could potentially access sensitive information across different sites. This vulnerability affects Chrome versions before 149.0.7827.53 and requires the attacker to first gain control of the renderer process, which typically happens through a separate exploit or malicious website.

  • CVE-2026-11015HIGH 8.1

    A memory reading flaw in Google Chrome's WebGPU component allows attackers to read data outside the intended memory boundaries when a user visits a specially crafted website. The vulnerability requires user interaction (visiting a malicious page) but does not require special privileges, and while the attacker cannot modify data or directly crash the browser, they can extract sensitive information from the process's memory—such as passwords, keys, or other confidential data stored there.

  • CVE-2026-10003HIGH 7.5

    A use-after-free vulnerability in Chrome's Views component allows attackers to execute arbitrary code on affected systems. The flaw requires user interaction—specifically, the victim must perform particular UI gestures after being convinced to visit a malicious webpage. Once triggered, the vulnerability grants the attacker the same privileges as the user running the browser, potentially leading to complete system compromise.

  • CVE-2026-10005HIGH 7.5

    Google Chrome on macOS contains a use-after-free vulnerability in its WebAppInstalls component that can be exploited to execute arbitrary code. An attacker would need to convince a user to perform specific gestures within a crafted HTML page to trigger the flaw. This affects Chrome versions prior to 148.0.7778.216.

  • CVE-2026-10006HIGH 7.5

    A race condition in Google Chrome's WebAudio component allows attackers to execute arbitrary code within the browser sandbox by serving a specially crafted HTML page to a user. The vulnerability requires user interaction (clicking or navigating to the malicious page) but does not require special privileges. Successfully exploiting this issue could allow an attacker to run code with the permissions of the Chrome process, potentially leading to data theft, malware installation, or further system compromise.

  • CVE-2026-10009HIGH 7.5

    A mathematical error in Chrome's graphics rendering engine (Skia) could allow attackers to break out of the browser sandbox and run malicious code if they've already compromised the browser's rendering process. The vulnerability affects Chrome versions before 148.0.7778.216 and requires user interaction, such as visiting a malicious webpage, to trigger the exploit.

  • CVE-2026-10022HIGH 7.5

    A type confusion flaw in Google Chrome's V8 JavaScript engine (CVE-2026-10022) allows attackers to execute arbitrary code within the browser sandbox if they can trick a user into installing a malicious Chrome extension. The vulnerability affects Chrome versions before 148.0.7778.216 and impacts Windows, macOS, and Linux systems. While the underlying Chromium severity is rated Medium by Google, the CVSS v3.1 score of 7.5 reflects the practical risk: an attacker gaining code execution inside the Chrome sandbox can read sensitive data, modify browser state, or escalate privileges. The attack requires social engineering to distribute the malicious extension, which limits opportunistic exploitation but remains a credible threat in targeted campaigns.

  • CVE-2026-10900HIGH 7.5

    A use-after-free flaw in Google Chrome's password management feature on macOS allows attackers to corrupt memory and potentially execute code if they trick a user into performing specific interactions with a malicious webpage. The vulnerability requires user interaction and affects Chrome versions before 149.0.7827.53. While rated HIGH by CVSS, the attack surface is narrowed by the need for deliberate user gestures and the complexity of reliable exploitation.

  • CVE-2026-10901HIGH 7.5

    A use-after-free memory flaw exists in Google Chrome's password manager on macOS. An attacker can trigger the vulnerability by convincing a user to interact with a specially crafted webpage in specific ways—for example, through unusual clicking patterns or drag-and-drop actions in the password UI. Successful exploitation allows remote code execution with the privileges of the Chrome process. This is a memory safety issue where the browser continues to reference password manager data after it has been freed, creating an opportunity for malicious code injection.

  • CVE-2026-10906HIGH 7.5

    Google Chrome contains a use-after-free vulnerability in its WebAuthentication implementation that can lead to heap memory corruption. An attacker must craft a malicious HTML page and convince a user to interact with it in a specific way—such as clicking or gesturing within the web interface—to trigger the flaw. Successfully exploiting this could allow the attacker to execute arbitrary code or crash the browser. The vulnerability affects Chrome versions before 149.0.7827.53.

  • CVE-2026-10946HIGH 7.5

    Google Chrome versions before 149.0.7827.53 contain a heap buffer overflow vulnerability in its media processing component. An attacker can exploit this by hosting a specially crafted HTML page and convincing a user to interact with it in specific ways—such as clicking, dragging, or performing other UI gestures. If successful, the attacker gains the ability to run arbitrary code, but crucially, that code executes within Chrome's sandbox, limiting lateral damage to the user's system. The vulnerability requires active user involvement, which raises the bar for exploitation but remains a meaningful risk given how often users interact with web content.

  • CVE-2026-10969HIGH 7.5

    A flaw in Google Chrome's extension validation system allows attackers to escalate privileges if they've already compromised Chrome's rendering engine. An attacker would need to trick a user into viewing a specially crafted webpage while the renderer process is already under their control, leading to unauthorized system-level access. This is a High-severity issue affecting Chrome versions before 149.0.7827.53.

  • CVE-2026-10004MEDIUM 6.5

    Google Chrome versions before 148.0.7778.216 contain a flaw in how they validate user input within the password-handling component. An attacker can craft a malicious HTML page that, when visited by a user, tricks the browser into displaying fake password prompts or other UI elements that appear legitimate. This is a spoofing attack—the attacker doesn't steal data directly, but deceives users into believing they're interacting with genuine Chrome interface elements, potentially leading them to enter credentials or take other unintended actions.

  • CVE-2026-10018MEDIUM 6.5

    CVE-2026-10018 is a medium-severity integer overflow vulnerability in ANGLE (Almost Native Graphics Layer Engine), Google's graphics abstraction layer used in Chrome. An attacker can craft a malicious webpage that, when visited, causes Chrome to mishandle memory calculations in its graphics pipeline. This flaw allows the attacker to read sensitive data from the browser's process memory—potentially including cached credentials, session tokens, or other confidential information—without modifying or crashing the system. The vulnerability requires user interaction (visiting the malicious page) but does not require special privileges to exploit.

  • CVE-2026-10912MEDIUM 6.5

    A flaw in Google Chrome's extension handling allows an attacker who has already compromised the renderer process to bypass the browser's same-origin policy—a core security boundary that prevents JavaScript from one website accessing data from another. An attacker would need to trick a user into visiting a specially crafted webpage to exploit this. The vulnerability affects Chrome versions prior to 149.0.7827.53 across Windows, macOS, and Linux.

  • CVE-2026-10944MEDIUM 6.5

    A flaw in Google Chrome's autofill feature on iOS could allow an attacker to trick a user into visiting a malicious webpage that extracts sensitive information you've saved in your browser—such as payment details, addresses, or credentials—from other websites you use. The vulnerability requires user interaction (visiting the malicious page) but does not require special system permissions or unusual browser configurations to exploit.

  • CVE-2026-10950MEDIUM 6.5

    Google Chrome on iOS has a flaw in how it enforces security policies for the autofill feature. An attacker can trick a user into visiting a specially crafted webpage that leaks sensitive data from other websites the user has visited or logged into. The vulnerability requires user interaction (clicking or visiting a malicious link) but doesn't require any special browser configuration or authentication bypass. It affects Chrome versions before 149.0.7827.53 on iOS devices.

  • CVE-2026-11006MEDIUM 6.5

    A memory safety flaw in Google Chrome's Dawn graphics component (used for GPU rendering) allows attackers to read sensitive data from a user's memory by tricking them into visiting a specially crafted webpage. The vulnerability does not enable code execution or system crashes, but confidentiality is at risk. Chrome versions prior to 149.0.7827.53 are affected.

  • CVE-2026-11008MEDIUM 6.5

    A flaw in Google Chrome's web app installation feature fails to properly validate user input, allowing an attacker who has already compromised Chrome's renderer process to extract sensitive data from other websites through a malicious webpage. The attacker would need to trick a user into visiting a crafted HTML page, but once the renderer is compromised, the vulnerability creates a pathway to leak cross-origin information that should remain isolated.

  • CVE-2026-11013MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a flaw in how the browser validates user-supplied input within its networking code. An attacker who has already compromised Chrome's renderer process—the sandboxed component that executes web content—can craft a malicious HTML page to leak sensitive data from the renderer's memory. This is a post-compromise attack vector; the attacker must first gain code execution in the renderer sandbox, but once there, they can extract information that should remain private.

  • CVE-2026-11014MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a vulnerability where insufficient policy enforcement in the extension system allows a malicious extension to circumvent Site Isolation—Chrome's security boundary that prevents one website from accessing another's data. An attacker must first convince a user to install the malicious extension, but once installed, the extension can read or modify data across websites that the user visits, potentially exposing sensitive information.

  • CVE-2026-11016MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a flaw where insufficient validation of network input allows a remote attacker who has already compromised the browser's renderer process to bypass the same-origin policy. An attacker could craft a malicious HTML page to force the compromised renderer to access resources or data from a different origin, violating the security boundary that normally prevents cross-origin access. This requires initial renderer process compromise—the attacker cannot trigger the vulnerability from an unauthenticated network position alone.

  • CVE-2026-11017MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a flaw in how the Link Preview feature handles navigation restrictions. If an attacker first compromises Chrome's renderer process—the component that displays web content—they can craft a malicious HTML page to bypass restrictions that normally prevent unauthorized navigation. The vulnerability requires prior renderer compromise, limiting its immediate attack surface, but it does allow an attacker with that foothold to navigate to restricted locations without proper authorization.

  • CVE-2026-11018MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a flaw in how the browser enforces navigation policies. An attacker can craft a malicious HTML page that, when visited, tricks Chrome into allowing navigation to restricted destinations that should normally be blocked. The vulnerability requires user interaction—a person must visit the hostile page—but no special privileges are needed on the attacker's side. The core risk is integrity: an attacker can redirect you to unwanted sites, potentially enabling phishing, malware distribution, or social engineering attacks.

  • CVE-2026-11020MEDIUM 6.5

    Google Chrome versions prior to 149.0.7827.53 contain a flaw in how the browser handles extensions that process XML files. An attacker can craft a malicious XML file that, when processed by a vulnerable extension, leaks sensitive data from other websites the user has visited. The vulnerability requires user interaction—specifically, the user must open or interact with the malicious file—but does not require the attacker to have special privileges or bypass additional security controls. This is a cross-origin data leak, meaning information intended to be isolated between websites can be extracted by an attacker.

  • CVE-2026-11022MEDIUM 6.5

    CVE-2026-11022 is a same-origin policy bypass vulnerability in Google Chrome's DevTools that requires an attacker to have already compromised the renderer process. An attacker could then use a specially crafted HTML page to escape origin restrictions, potentially accessing or modifying data from other websites in the same browser session. This is not a remote code execution vector but rather a privilege escalation within an already-compromised rendering context.

  • CVE-2026-11023MEDIUM 6.5

    Google Chrome versions prior to 149.0.7827.53 contain a flaw in how the browser handles web app installation that allows an attacker who has already compromised the browser's renderer process to bypass the same-origin policy. This means a specially crafted web page could be used to access or modify content from other websites in ways the browser is supposed to prevent. The attacker needs prior renderer compromise, limiting the immediate threat to users, but the bypass itself is reliable once that initial foothold exists.