By vendor

Google vulnerabilities

Known CVEs affecting Google products, prioritized by severity, with SEC.co remediation and detection guidance.

224 published vulnerabilities · page 2 of 3

  • CVE-2026-11011HIGH 8.1

    A flaw in Google Chrome's Password Manager allows an attacker who has already compromised the browser's renderer process to sidestep site isolation—a critical security boundary that prevents one website from accessing data belonging to another. By crafting a malicious HTML page, the attacker could potentially access sensitive information across different sites. This vulnerability affects Chrome versions before 149.0.7827.53 and requires the attacker to first gain control of the renderer process, which typically happens through a separate exploit or malicious website.

  • CVE-2026-11015HIGH 8.1

    A memory reading flaw in Google Chrome's WebGPU component allows attackers to read data outside the intended memory boundaries when a user visits a specially crafted website. The vulnerability requires user interaction (visiting a malicious page) but does not require special privileges, and while the attacker cannot modify data or directly crash the browser, they can extract sensitive information from the process's memory—such as passwords, keys, or other confidential data stored there.

  • CVE-2026-0059HIGH 8.0

    A heap buffer overflow vulnerability in Android's SDP (Session Description Protocol) discovery module allows an attacker on the same network segment to execute code with the privileges of the affected process. No user action is required, and the attacker needs only basic network access—the flaw can be triggered remotely through specially crafted SDP packets. This is a serious local/adjacent network attack vector that bypasses normal authentication and user interaction requirements.

  • CVE-2026-0095HIGH 8.0

    CVE-2026-0095 is a heap corruption flaw in Android's Bluetooth stack that allows a local attacker with limited privileges to escalate to higher system permissions. The vulnerability stems from an integer overflow in the l2c_fcr_clone_buf function, which can be manipulated to corrupt memory in the Bluetooth daemon process. Because this runs in a privileged context, successful exploitation grants elevated access without requiring additional tricks or user interaction.

  • CVE-2026-0097HIGH 8.0

    A logic error in Android's Bluetooth Low Energy (LE) pairing mechanism allows an attacker within wireless range to pair a device without requiring user approval or interaction. An attacker with local access to a Bluetooth-enabled Android device can escalate privileges by circumventing the normal pairing consent flow, potentially gaining full read, write, and execution access on the target device. This is particularly dangerous because it requires no user action to exploit.

  • CVE-2025-22424HIGH 7.8

    A vulnerability in Android allows a user with local access to view images that should be restricted to other users. The flaw stems from insufficient validation of user input across multiple code locations. While this requires someone already on the device and user interaction to exploit, it can lead to privilege escalation, meaning an attacker could gain elevated access to sensitive data and system resources.

  • CVE-2025-22426HIGH 7.8

    CVE-2025-22426 is a privilege escalation vulnerability in Android's ComputerEngine component that allows a local attacker with basic user-level access to bypass security boundaries and access resources (URIs) belonging to other users on the same device. The flaw stems from a logic error in multiple functions within ComputerEngine.java that fails to properly enforce cross-user access controls. An attacker needs only local access to the device and their own user account—no special permissions or user interaction required—making this a straightforward path to elevated privileges.

  • CVE-2025-26418HIGH 7.8

    A vulnerability in Android's device management system allows a local attacker with basic app permissions to bypass the user confirmation dialog that normally protects account additions on managed devices. This enables privilege escalation without requiring any special system access or user interaction. The flaw stems from a missing permission check in the CarDevicePolicyService component.

  • CVE-2025-32348HIGH 7.8

    CVE-2025-32348 is a privilege escalation vulnerability affecting Android that allows a local attacker to launch background activities without proper permission validation. An attacker with basic user-level access can exploit this flaw to gain elevated privileges on the device—no special capabilities or user interaction required. The vulnerability exists across multiple code paths where permission checks are missing, creating a consistent attack surface.

  • CVE-2025-48570HIGH 7.8

    A vulnerability in Android's PipTaskOrganizer component allows a malicious application with basic system privileges to launch activities from the background without user interaction. An attacker exploiting this flaw could escalate their privileges within the system, potentially gaining access to sensitive functionality or data. The vulnerability stems from a confused deputy issue—where a trusted system component is tricked into performing privileged actions on behalf of an unprivileged attacker.

  • CVE-2025-48649HIGH 7.8

    CVE-2025-48649 is a local privilege escalation vulnerability affecting Google Android in which an attacker with limited user privileges can reset user-selected permission settings, effectively bypassing the permissions model that Android uses to protect sensitive device capabilities. Because no additional privileges are needed and user interaction is not required, any application with basic local access can trigger this issue to gain unauthorized access to protected device functions—a significant departure from Android's intended permission architecture.

  • CVE-2025-48652HIGH 7.8

    A logic flaw in Android's application installation validation code allows a local attacker to bypass Mobile Device Management (MDM) security policies. An attacker with local access to the device can exploit this vulnerability to gain elevated privileges without requiring additional permissions or user interaction. MDM policies are a key security control for organizations managing corporate Android devices, making this bypass a significant concern for enterprise environments.

  • CVE-2026-0009HIGH 7.8

    A logic error in Android allows a local attacker to hijack touch input through tapjacking attacks, potentially gaining elevated privileges on the device. No special permissions or user interaction are required for exploitation, making this a direct path to privilege escalation for any app already running on the compromised system.

  • CVE-2026-0036HIGH 7.8

    CVE-2026-0036 is a tapjacking vulnerability in Android's StageCoordinator animation handler that allows a malicious app to escalate privileges without requiring user interaction or special permissions. An attacker with a local account on the device can overlay transparent windows to intercept touch events or manipulate the animation state, gaining unauthorized access to sensitive device functions and data. The vulnerability affects multiple Android versions and is rated HIGH severity due to its direct path to privilege escalation.

  • CVE-2026-0045HIGH 7.8

    A logic error in Android's Bluetooth RFCOMM connection handling allows a local attacker to bypass the bonding requirement for secure connections. An attacker with local access can escalate privileges without needing special permissions or user interaction, potentially gaining full control over sensitive device functions protected by Bluetooth pairing.

  • CVE-2026-0072HIGH 7.8

    A missing permission check in Android's input method manager allows a local attacker with minimal privileges to escalate their access and take full control of the affected device. No user action is required to exploit this flaw, making it a practical risk in multi-user or compromised environments.

  • CVE-2026-0076HIGH 7.8

    CVE-2026-0076 is a local privilege escalation vulnerability in Android's ResourceTypes.cpp component. An attacker with local access to a device can trigger an out-of-bounds memory read through a flawed bounds check in the validateNode function. Successful exploitation allows the attacker to escalate privileges without requiring additional permissions or user interaction, potentially gaining elevated system access.

  • CVE-2026-0077HIGH 7.8

    CVE-2026-0077 is a privilege escalation vulnerability in Android's ActivityRecord component that allows a local attacker with limited user privileges to launch background applications and gain elevated system access. The flaw stems from a logic error in the resumeConfigurationDispatch function that fails to properly validate or constrain application launch permissions. No special privileges or user interaction are required for exploitation, making this a straightforward attack vector for any app running on an affected device.

  • CVE-2026-0078HIGH 7.8

    A flaw in Android's device policy management system allows a local user to escalate their privileges by exploiting improper validation of proxy configuration settings. The vulnerability exists in how the system persists global proxy changes, creating a state mismatch that can be leveraged without requiring special permissions or user interaction. An attacker with basic local access can trigger the flaw to gain elevated system privileges.

  • CVE-2026-0087HIGH 7.8

    A logic error in Android's domain verification service allows a local attacker to hijack app links associated with arbitrary applications. By exploiting this flaw, an attacker can redirect app links to malicious apps, potentially intercepting sensitive user actions or data. The vulnerability requires local access but no special permissions or user interaction, making it a meaningful escalation path on compromised or personally-owned devices.

  • CVE-2026-0088HIGH 7.8

    A flaw in Android's certificate installer component allows a malicious app with basic system privileges to bypass security dialogs that normally protect sensitive operations. By exploiting misleading UI presentation, an attacker can escalate their permissions without user knowledge or interaction. The vulnerability is particularly dangerous because it requires no special execution rights—a standard app can trigger it.

  • CVE-2026-0089HIGH 7.8

    CVE-2026-0089 is a vulnerability in Android's PackageInstallerService that allows a local attacker with basic user-level permissions to bypass security checks and install applications without proper verification. Because the vulnerability exists in multiple functions that lack proper permission validation, an attacker can escalate their privileges by sidestepping the normal app installation safeguards. No user interaction or special device access is required to exploit this flaw once an attacker has obtained standard user privileges on the device.

  • CVE-2026-0091HIGH 7.8

    A privilege escalation vulnerability exists in Android where an over-privileged shell user can execute arbitrary code within the launcher process. An attacker with local access can exploit this weakness to gain elevated privileges without needing special execution rights or user interaction. This is a local-only threat that targets the core launcher functionality central to Android's user interface and app management.

  • CVE-2026-0093HIGH 7.8

    CVE-2026-0093 is a local privilege escalation vulnerability affecting Google Android. The flaw stems from misleading user interface elements that obscure the true nature of certain operations, potentially tricking users into granting elevated permissions. An attacker with local access to the device can exploit this weakness to escalate privileges without needing special system permissions beforehand, and notably, without requiring any user interaction during the actual exploitation phase. The vulnerability allows an attacker to read, modify, or delete sensitive data and potentially take control of affected system functions.

  • CVE-2026-0094HIGH 7.8

    A flaw in Android's KeyChain component allows a local attacker with user-level privileges to manipulate the certificate approval interface in a way that tricks the system into granting access to certificates without explicit user consent. The vulnerability stems from misleading or incomplete UI messaging in the getApplicationLabel function, enabling privilege escalation entirely through local interaction. No special permissions or user action is required to exploit it once initiated.

  • CVE-2026-0096HIGH 7.8

    CVE-2026-0096 is a local privilege escalation vulnerability in Android's ForgetDeviceDialogFragment that allows an attacker with local access to manipulate or bypass a device-forget confirmation flow due to misleading UI elements. The vulnerability requires no user interaction to exploit and can result in unauthorized privilege escalation on the affected device.

  • CVE-2026-0098HIGH 7.8

    CVE-2026-0098 is a local privilege escalation vulnerability in Android's package-calling logic that allows a malicious app to bypass restrictions on which activities it can start. The flaw stems from a confused deputy problem—the system incorrectly trusts the calling context of an app requesting activity launches. An attacker with a local app installation can exploit this without special permissions or user interaction to gain elevated privileges, potentially accessing sensitive device functions or data reserved for system components.

  • CVE-2026-0099HIGH 7.8

    A vulnerability exists in Android's host emulation manager that allows a malicious app to launch activities (screen components) from the background without proper authorization. The flaw stems from a logic error in how the system validates binding requests. While an attacker needs to be a local user with some system access already, they can exploit this to gain elevated privileges on the device. The vulnerability requires user interaction to trigger—likely through social engineering or user action within a compromised app context.

  • CVE-2026-0100HIGH 7.8

    A heap buffer overflow vulnerability exists in Android's resource loading code (LoadedArsc.cpp) that allows a local attacker with standard user privileges to write data beyond the intended buffer boundaries. This memory corruption can be exploited to gain elevated system privileges without requiring special permissions or user interaction, making it a serious local privilege escalation vector.

  • CVE-2026-10942HIGH 7.8

    Google Chrome on Windows contains a UI implementation flaw that allows a local attacker to escalate privileges by opening a malicious file. The vulnerability affects Chrome versions prior to 149.0.7827.53 and requires user interaction (opening a file) but no authentication. If exploited, an attacker could gain elevated system privileges on an affected machine.

  • CVE-2026-28577HIGH 7.8

    A vulnerability in Android's window management system allows a locally authenticated attacker to perform a tapjacking attack—placing hidden overlay windows on top of legitimate applications to intercept user input or actions. This attack doesn't require user interaction to trigger and can result in unauthorized privilege escalation. The attacker needs only local access to the device (such as through an installed app), making it a practical threat in real-world scenarios.

  • CVE-2026-28580HIGH 7.8

    CVE-2026-28580 is a local privilege escalation vulnerability affecting Google Android. An attacker with basic user-level access to a device can exploit an incorrect bounds check in multiple persistence-related functions to gain elevated privileges without requiring additional capabilities or interaction from the user. The issue stems from a synchronization problem that allows the attacker to manipulate persistent data in an unexpected way, ultimately escalating their permissions on the system.

  • CVE-2026-10003HIGH 7.5

    A use-after-free vulnerability in Chrome's Views component allows attackers to execute arbitrary code on affected systems. The flaw requires user interaction—specifically, the victim must perform particular UI gestures after being convinced to visit a malicious webpage. Once triggered, the vulnerability grants the attacker the same privileges as the user running the browser, potentially leading to complete system compromise.

  • CVE-2026-10005HIGH 7.5

    Google Chrome on macOS contains a use-after-free vulnerability in its WebAppInstalls component that can be exploited to execute arbitrary code. An attacker would need to convince a user to perform specific gestures within a crafted HTML page to trigger the flaw. This affects Chrome versions prior to 148.0.7778.216.

  • CVE-2026-10006HIGH 7.5

    A race condition in Google Chrome's WebAudio component allows attackers to execute arbitrary code within the browser sandbox by serving a specially crafted HTML page to a user. The vulnerability requires user interaction (clicking or navigating to the malicious page) but does not require special privileges. Successfully exploiting this issue could allow an attacker to run code with the permissions of the Chrome process, potentially leading to data theft, malware installation, or further system compromise.

  • CVE-2026-10009HIGH 7.5

    A mathematical error in Chrome's graphics rendering engine (Skia) could allow attackers to break out of the browser sandbox and run malicious code if they've already compromised the browser's rendering process. The vulnerability affects Chrome versions before 148.0.7778.216 and requires user interaction, such as visiting a malicious webpage, to trigger the exploit.

  • CVE-2026-10022HIGH 7.5

    A type confusion flaw in Google Chrome's V8 JavaScript engine (CVE-2026-10022) allows attackers to execute arbitrary code within the browser sandbox if they can trick a user into installing a malicious Chrome extension. The vulnerability affects Chrome versions before 148.0.7778.216 and impacts Windows, macOS, and Linux systems. While the underlying Chromium severity is rated Medium by Google, the CVSS v3.1 score of 7.5 reflects the practical risk: an attacker gaining code execution inside the Chrome sandbox can read sensitive data, modify browser state, or escalate privileges. The attack requires social engineering to distribute the malicious extension, which limits opportunistic exploitation but remains a credible threat in targeted campaigns.

  • CVE-2026-10899HIGH 7.5

    A use-after-free vulnerability exists in Google Chrome's Ozone display system on Linux that could allow an attacker to corrupt the browser's memory. If a user is tricked into performing specific UI interactions on a malicious webpage, the attacker could potentially execute code or crash the browser. This flaw affects Chrome versions prior to 149.0.7827.53 on Linux systems.

  • CVE-2026-10900HIGH 7.5

    A use-after-free flaw in Google Chrome's password management feature on macOS allows attackers to corrupt memory and potentially execute code if they trick a user into performing specific interactions with a malicious webpage. The vulnerability requires user interaction and affects Chrome versions before 149.0.7827.53. While rated HIGH by CVSS, the attack surface is narrowed by the need for deliberate user gestures and the complexity of reliable exploitation.

  • CVE-2026-10901HIGH 7.5

    A use-after-free memory flaw exists in Google Chrome's password manager on macOS. An attacker can trigger the vulnerability by convincing a user to interact with a specially crafted webpage in specific ways—for example, through unusual clicking patterns or drag-and-drop actions in the password UI. Successful exploitation allows remote code execution with the privileges of the Chrome process. This is a memory safety issue where the browser continues to reference password manager data after it has been freed, creating an opportunity for malicious code injection.

  • CVE-2026-10906HIGH 7.5

    Google Chrome contains a use-after-free vulnerability in its WebAuthentication implementation that can lead to heap memory corruption. An attacker must craft a malicious HTML page and convince a user to interact with it in a specific way—such as clicking or gesturing within the web interface—to trigger the flaw. Successfully exploiting this could allow the attacker to execute arbitrary code or crash the browser. The vulnerability affects Chrome versions before 149.0.7827.53.

  • CVE-2026-10946HIGH 7.5

    Google Chrome versions before 149.0.7827.53 contain a heap buffer overflow vulnerability in its media processing component. An attacker can exploit this by hosting a specially crafted HTML page and convincing a user to interact with it in specific ways—such as clicking, dragging, or performing other UI gestures. If successful, the attacker gains the ability to run arbitrary code, but crucially, that code executes within Chrome's sandbox, limiting lateral damage to the user's system. The vulnerability requires active user involvement, which raises the bar for exploitation but remains a meaningful risk given how often users interact with web content.

  • CVE-2026-10969HIGH 7.5

    A flaw in Google Chrome's extension validation system allows attackers to escalate privileges if they've already compromised Chrome's rendering engine. An attacker would need to trick a user into viewing a specially crafted webpage while the renderer process is already under their control, leading to unauthorized system-level access. This is a High-severity issue affecting Chrome versions before 149.0.7827.53.

  • CVE-2026-10968HIGH 7.4

    A vulnerability in Chrome's graphics rendering engine (Dawn) on Windows allows attackers to steal sensitive data from websites you're visiting. If an attacker first compromises Chrome's renderer process—the part that runs web content—they can craft a malicious webpage to leak information across website boundaries, bypassing Chrome's security isolation. This requires the attacker to have already gained control of the renderer, making it part of a multi-stage attack but with serious data-theft consequences once achieved.

  • CVE-2026-10973HIGH 7.4

    A flaw in Google Chrome's Dawn graphics component allowed attackers to extract sensitive data across website boundaries through a specially crafted web page. The vulnerability required user interaction (clicking or visiting a malicious page) but did not require any special privileges. An attacker could craft HTML that exploits uninitialized memory in Chrome's graphics processing to read data from other origins that should have been isolated, potentially exposing authentication tokens, personal information, or other sensitive content loaded in the same browser session.

  • CVE-2026-10976HIGH 7.4

    A memory disclosure vulnerability exists in Google Chrome's graphics engine (Dawn) that could allow an attacker to read sensitive data from Chrome's process memory. The flaw stems from uninitialized variables being used without proper initialization checks. An attacker would need to trick a user into visiting a specially crafted webpage to trigger the vulnerability. The issue affects Chrome versions before 149.0.7827.53.

  • CVE-2026-11035HIGH 7.3

    Google Chrome on Android contains a flaw in how it handles Custom Tabs—a feature that allows apps to open web content within their own interface. An attacker with local access to a device can exploit this vulnerability by crafting a malicious XML file, potentially gaining elevated privileges on the system. The issue affects Chrome versions prior to 149.0.7827.53. While the base severity from Chromium is listed as Medium, the overall risk score reflects the complete attack chain impact.

  • CVE-2026-0048MEDIUM 6.8

    A vulnerability exists in Android's WindowState component that allows an attacker to overlay malicious UI on top of legitimate system dialogs, tricking users into granting permissions they did not intend to approve. The attack exploits a tapjacking technique where touch inputs are intercepted and misdirected. No special privileges or user awareness is required for the attack to succeed, making it a local but potentially high-impact privilege escalation vector.

  • CVE-2026-0086MEDIUM 6.8

    A vulnerability in Android's DisableSupervisionActivity allows an attacker to delete supervision data on a device by exploiting a missing null check in the onCreate method. This flaw enables local privilege escalation without requiring any special permissions or user interaction, meaning the exploit could trigger automatically during normal device operation. The vulnerability affects multiple Android versions and has a medium severity rating.

  • CVE-2026-0039MEDIUM 6.5

    CVE-2026-0039 is an integer overflow vulnerability in Android's ubsan_throwing_runtime.cpp that allows an authenticated attacker to remotely crash or disable affected devices. The flaw resides in multiple functions and can be exploited without user interaction, making it a straightforward denial-of-service vector for anyone with network access to a vulnerable Android system.

  • CVE-2026-0040MEDIUM 6.5

    CVE-2026-0040 is an integer overflow vulnerability in Google Android's ubsan_throwing_runtime.cpp file that allows an authenticated attacker to remotely crash the system. No special privileges or user interaction are required for exploitation, making this a straightforward denial-of-service attack vector. The flaw resides in multiple functions within a core runtime component, meaning the exposure is likely widespread across affected Android versions.

  • CVE-2026-0041MEDIUM 6.5

    An integer overflow vulnerability exists in Google Android's UBSan (Undefined Behavior Sanitizer) runtime code. When triggered, the overflow causes the sanitizer itself to fail rather than safely handling undefined behavior, resulting in application crashes or service disruption. An authenticated attacker can remotely exploit this without user interaction, making it a network-reachable denial-of-service vector.

  • CVE-2026-0044MEDIUM 6.5

    CVE-2026-0044 is an integer overflow vulnerability in Android's ubsan_throwing_runtime.cpp that allows an authenticated attacker to crash the system remotely. The flaw requires valid credentials to exploit but no user interaction, making it a straightforward denial-of-service vector that can disrupt device availability without requiring the attacker to execute code or escalate privileges.

  • CVE-2026-0051MEDIUM 6.5

    A vulnerability in Google Android's UBSan (Undefined Behavior Sanitizer) runtime component allows an authenticated attacker to crash the system by sending malformed input to multiple functions in ubsan_throwing_runtime.cpp. The vulnerability requires valid credentials to exploit but no special privileges, and the attacker doesn't need to interact with the device user. The impact is denial of service—the system becomes unavailable—but data confidentiality and integrity are not compromised.

  • CVE-2026-0052MEDIUM 6.5

    CVE-2026-0052 is an integer overflow vulnerability in Android's UBSan runtime that can be triggered remotely by an authenticated attacker to crash the affected system. The flaw exists in multiple functions within ubsan_throwing_runtime.cpp and requires only network access and valid credentials—no special privileges or user interaction needed. Successful exploitation results in denial of service, making the device temporarily unavailable.

  • CVE-2026-0080MEDIUM 6.5

    CVE-2026-0080 is an integer overflow vulnerability in Google Android's ubsan_throwing_runtime.cpp that allows authenticated attackers to crash affected devices remotely. The flaw requires a valid login but no special permissions, and can be triggered without user interaction—making it a practical denial-of-service vector for an attacker with baseline Android system access.

  • CVE-2026-10004MEDIUM 6.5

    Google Chrome versions before 148.0.7778.216 contain a flaw in how they validate user input within the password-handling component. An attacker can craft a malicious HTML page that, when visited by a user, tricks the browser into displaying fake password prompts or other UI elements that appear legitimate. This is a spoofing attack—the attacker doesn't steal data directly, but deceives users into believing they're interacting with genuine Chrome interface elements, potentially leading them to enter credentials or take other unintended actions.

  • CVE-2026-10008MEDIUM 6.5

    Google Chrome on Android contains an uninitialized memory flaw in the GPU rendering pipeline that could allow an attacker to extract sensitive data from the browser process. An attacker would craft a malicious HTML page that, when loaded by a user, exploits how the GPU handles uninitialized memory regions—leaking fragments of previously-used data that may contain sensitive information. This is a memory disclosure vulnerability, not a code execution flaw, but information leaks can enable follow-on attacks or expose credentials, tokens, and personal data.

  • CVE-2026-10018MEDIUM 6.5

    CVE-2026-10018 is a medium-severity integer overflow vulnerability in ANGLE (Almost Native Graphics Layer Engine), Google's graphics abstraction layer used in Chrome. An attacker can craft a malicious webpage that, when visited, causes Chrome to mishandle memory calculations in its graphics pipeline. This flaw allows the attacker to read sensitive data from the browser's process memory—potentially including cached credentials, session tokens, or other confidential information—without modifying or crashing the system. The vulnerability requires user interaction (visiting the malicious page) but does not require special privileges to exploit.

  • CVE-2026-10912MEDIUM 6.5

    A flaw in Google Chrome's extension handling allows an attacker who has already compromised the renderer process to bypass the browser's same-origin policy—a core security boundary that prevents JavaScript from one website accessing data from another. An attacker would need to trick a user into visiting a specially crafted webpage to exploit this. The vulnerability affects Chrome versions prior to 149.0.7827.53 across Windows, macOS, and Linux.

  • CVE-2026-10937MEDIUM 6.5

    CVE-2026-10937 is a same-origin policy bypass vulnerability in Google Chrome's password handling logic. An attacker can craft a malicious HTML page that, when visited by a user, exploits an implementation flaw to circumvent Chrome's same-origin policy protections. This could allow unauthorized script execution or data access across domain boundaries, though the actual impact depends on how the flaw is chained with other browser capabilities. The vulnerability affects Chrome versions prior to 149.0.7827.53 and requires user interaction to trigger.

  • CVE-2026-10938MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a flaw in how the browser handles certain HTML input that could allow an attacker to circumvent site isolation protections, but only if they have already compromised the renderer process. Site isolation is Chrome's core defense that prevents a compromised website from accessing data from other open websites. This vulnerability narrows that protection in specific scenarios.

  • CVE-2026-10944MEDIUM 6.5

    A flaw in Google Chrome's autofill feature on iOS could allow an attacker to trick a user into visiting a malicious webpage that extracts sensitive information you've saved in your browser—such as payment details, addresses, or credentials—from other websites you use. The vulnerability requires user interaction (visiting the malicious page) but does not require special system permissions or unusual browser configurations to exploit.

  • CVE-2026-10950MEDIUM 6.5

    Google Chrome on iOS has a flaw in how it enforces security policies for the autofill feature. An attacker can trick a user into visiting a specially crafted webpage that leaks sensitive data from other websites the user has visited or logged into. The vulnerability requires user interaction (clicking or visiting a malicious link) but doesn't require any special browser configuration or authentication bypass. It affects Chrome versions before 149.0.7827.53 on iOS devices.

  • CVE-2026-10977MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a flaw in Skia (Chrome's graphics rendering engine) that could allow an attacker who has already compromised your browser's renderer process to steal data from websites you visit. The attacker would need to trick you into viewing a specially crafted webpage. This is a real but narrowly scoped risk—it requires the renderer to already be under attacker control, limiting the immediate threat from casual browsing.

  • CVE-2026-10979MEDIUM 6.5

    A flaw in the ANGLE graphics library used by Google Chrome before version 149.0.7827.53 allows attackers to read memory outside intended bounds. An attacker can craft a malicious HTML page that, when visited by a user, extracts sensitive data from Chrome's process memory—such as authentication tokens, encryption keys, or other confidential information. Exploitation requires user interaction (clicking a link or visiting a site) but no special privileges.

  • CVE-2026-10980MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a flaw in DevTools that allows an attacker who has already compromised the browser's rendering engine to bypass the same-origin policy—a core security boundary that prevents websites from accessing each other's data. An attacker could craft a malicious HTML page to exploit this, potentially gaining unauthorized access to sensitive information from other websites.

  • CVE-2026-10981MEDIUM 6.5

    CVE-2026-10981 is a cross-origin data leak vulnerability in Google Chrome's video codec handling. An attacker who has already compromised Chrome's renderer process can craft a malicious video file to exfiltrate sensitive data from other websites the user is visiting. The vulnerability requires user interaction (opening or playing a video file) and relies on prior compromise of the rendering engine, limiting the attack surface but creating risk for users who already have malware or who visit compromised sites.

  • CVE-2026-10985MEDIUM 6.5

    A flaw in Skia, the graphics rendering engine used by Google Chrome, allows attackers to read data they shouldn't have access to by crafting a malicious web page. When a user visits such a page, the browser's memory can leak information from other websites or origins, potentially exposing sensitive data. The attack requires user interaction—clicking a link or visiting a hostile site—but doesn't require any special browser permissions or configuration.

  • CVE-2026-10992MEDIUM 6.5

    Google Chrome versions prior to 149.0.7827.53 contain a flaw in how the Animation feature validates user-supplied data. An attacker can craft a malicious HTML page that, when opened in a vulnerable Chrome browser, leaks sensitive information stored in the browser's process memory. The attack requires user interaction (opening the page) but no authentication or special browser configuration.

  • CVE-2026-10993MEDIUM 6.5

    A heap buffer overflow vulnerability exists in Skia, the graphics rendering engine used by Google Chrome. By visiting a specially crafted webpage, an attacker can read sensitive data from Chrome's memory without requiring any special user permissions beyond clicking the link. The vulnerability affects Chrome versions before 149.0.7827.53 and has a CVSS severity rating of Medium.

  • CVE-2026-10994MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a flaw in the ANGLE graphics library that can leak sensitive data from your browser's memory. An attacker can craft a malicious webpage that, when you visit it, reads uninitialized memory and potentially extracts information like passwords, tokens, or other private data. The vulnerability requires user interaction (clicking or viewing the page) but does not require special browser permissions.

  • CVE-2026-10996MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a vulnerability in how Web Workers are implemented that could allow an attacker to bypass the same-origin policy—a fundamental browser security boundary. An attacker could craft a malicious HTML page that, when visited by a user, potentially accesses or modifies content from other websites in the victim's browser session. This requires user interaction (visiting the crafted page) but does not require any special browser features to be enabled.

  • CVE-2026-10997MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a flaw in how it enforces policies on extensions. An attacker could craft a malicious extension that, if installed by a user, would be able to bypass access controls that should normally restrict what the extension can do. This is a user-assisted attack—the victim must actively install the extension—but once installed, the extension gains unintended capabilities.

  • CVE-2026-10999MEDIUM 6.5

    An integer overflow vulnerability exists in ANGLE (a graphics abstraction layer) within Google Chrome on Windows. Before version 149.0.7827.53, this flaw could allow an attacker who already controls the Chrome renderer process to read sensitive data from memory by tricking a user into viewing a specially crafted webpage. The vulnerability requires user interaction (clicking a link or visiting a malicious site) but does not allow the attacker to modify data or crash the browser.

  • CVE-2026-11001MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a flaw in the Payments feature that allows attackers to create a fake user interface through a specially crafted webpage. To exploit this, an attacker would need to trick a user into performing specific interactions—such as clicks or gestures—on the malicious page. The attack does not steal data or crash the browser, but instead deceives the user by making the browser display content that appears to come from a trusted source, when it actually originates from the attacker. This is a medium-severity issue that depends on user interaction to succeed.

  • CVE-2026-11006MEDIUM 6.5

    A memory safety flaw in Google Chrome's Dawn graphics component (used for GPU rendering) allows attackers to read sensitive data from a user's memory by tricking them into visiting a specially crafted webpage. The vulnerability does not enable code execution or system crashes, but confidentiality is at risk. Chrome versions prior to 149.0.7827.53 are affected.

  • CVE-2026-11007MEDIUM 6.5

    A flaw in Google Chrome's WebView on Android allows an attacker who has already compromised Chrome's renderer process to steal sensitive data from other websites. The vulnerability stems from inadequate validation of user-supplied input, making it possible for an attacker to craft a malicious webpage that leaks cross-origin information—data that should remain isolated between websites. While the attacker must first gain control of the renderer process, the subsequent data leakage requires only that a user visit a crafted page, making this a meaningful risk in multi-stage attack chains.

  • CVE-2026-11008MEDIUM 6.5

    A flaw in Google Chrome's web app installation feature fails to properly validate user input, allowing an attacker who has already compromised Chrome's renderer process to extract sensitive data from other websites through a malicious webpage. The attacker would need to trick a user into visiting a crafted HTML page, but once the renderer is compromised, the vulnerability creates a pathway to leak cross-origin information that should remain isolated.

  • CVE-2026-11013MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a flaw in how the browser validates user-supplied input within its networking code. An attacker who has already compromised Chrome's renderer process—the sandboxed component that executes web content—can craft a malicious HTML page to leak sensitive data from the renderer's memory. This is a post-compromise attack vector; the attacker must first gain code execution in the renderer sandbox, but once there, they can extract information that should remain private.

  • CVE-2026-11014MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a vulnerability where insufficient policy enforcement in the extension system allows a malicious extension to circumvent Site Isolation—Chrome's security boundary that prevents one website from accessing another's data. An attacker must first convince a user to install the malicious extension, but once installed, the extension can read or modify data across websites that the user visits, potentially exposing sensitive information.

  • CVE-2026-11016MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a flaw where insufficient validation of network input allows a remote attacker who has already compromised the browser's renderer process to bypass the same-origin policy. An attacker could craft a malicious HTML page to force the compromised renderer to access resources or data from a different origin, violating the security boundary that normally prevents cross-origin access. This requires initial renderer process compromise—the attacker cannot trigger the vulnerability from an unauthenticated network position alone.

  • CVE-2026-11017MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a flaw in how the Link Preview feature handles navigation restrictions. If an attacker first compromises Chrome's renderer process—the component that displays web content—they can craft a malicious HTML page to bypass restrictions that normally prevent unauthorized navigation. The vulnerability requires prior renderer compromise, limiting its immediate attack surface, but it does allow an attacker with that foothold to navigate to restricted locations without proper authorization.

  • CVE-2026-11018MEDIUM 6.5

    Google Chrome versions before 149.0.7827.53 contain a flaw in how the browser enforces navigation policies. An attacker can craft a malicious HTML page that, when visited, tricks Chrome into allowing navigation to restricted destinations that should normally be blocked. The vulnerability requires user interaction—a person must visit the hostile page—but no special privileges are needed on the attacker's side. The core risk is integrity: an attacker can redirect you to unwanted sites, potentially enabling phishing, malware distribution, or social engineering attacks.

  • CVE-2026-11019MEDIUM 6.5

    A vulnerability in Google Chrome's payments implementation on Android allows an attacker who has already compromised the browser's rendering engine to trick users into believing they are interacting with a legitimate website when they are actually on a fraudulent one. The attacker would craft a deceptive HTML page that spoofs the domain name displayed to the user, potentially leading to credential theft, payment fraud, or other social engineering attacks. This requires an initial compromise of the renderer process, which limits the immediate exposure but represents a serious escalation risk once that initial foothold is established.

  • CVE-2026-11020MEDIUM 6.5

    Google Chrome versions prior to 149.0.7827.53 contain a flaw in how the browser handles extensions that process XML files. An attacker can craft a malicious XML file that, when processed by a vulnerable extension, leaks sensitive data from other websites the user has visited. The vulnerability requires user interaction—specifically, the user must open or interact with the malicious file—but does not require the attacker to have special privileges or bypass additional security controls. This is a cross-origin data leak, meaning information intended to be isolated between websites can be extracted by an attacker.

  • CVE-2026-11022MEDIUM 6.5

    CVE-2026-11022 is a same-origin policy bypass vulnerability in Google Chrome's DevTools that requires an attacker to have already compromised the renderer process. An attacker could then use a specially crafted HTML page to escape origin restrictions, potentially accessing or modifying data from other websites in the same browser session. This is not a remote code execution vector but rather a privilege escalation within an already-compromised rendering context.

  • CVE-2026-11023MEDIUM 6.5

    Google Chrome versions prior to 149.0.7827.53 contain a flaw in how the browser handles web app installation that allows an attacker who has already compromised the browser's renderer process to bypass the same-origin policy. This means a specially crafted web page could be used to access or modify content from other websites in ways the browser is supposed to prevent. The attacker needs prior renderer compromise, limiting the immediate threat to users, but the bypass itself is reliable once that initial foothold exists.

  • CVE-2026-11025MEDIUM 6.5

    Google Chrome on Android contains a flaw in how it enforces content security policies (CSP) during navigation. An attacker can craft a malicious HTML page that, when visited by a user, bypasses the browser's CSP protections. This allows the attacker to inject or execute unintended content within a page that should be restricted. The vulnerability requires user interaction (visiting a malicious site) and affects Chrome versions before 149.0.7827.53 on Android devices.

  • CVE-2026-11026MEDIUM 6.5

    Google Chrome versions prior to 149.0.7827.53 contain a flaw in how extensions are handled that allows an attacker to bypass built-in navigation restrictions. The vulnerability requires social engineering—an attacker must trick a user into installing a malicious Chrome extension. Once installed, the extension can circumvent the browser's navigation safeguards, potentially redirecting users to unintended destinations or enabling other attack chains. This is classified as a Medium severity issue by Chromium's security team.

  • CVE-2026-11027MEDIUM 6.5

    A vulnerability in Google Chrome's Glic component fails to properly validate untrusted input, allowing an attacker who has already compromised Chrome's renderer process to extract sensitive data across website boundaries using a specially crafted webpage. The attacker needs initial renderer process compromise but then gains the ability to read data from sites the user visits, bypassing normal browser security boundaries.

  • CVE-2026-11032MEDIUM 6.5

    Google Chrome's Password Manager contained a flaw that could allow an attacker to trick users into visiting a malicious webpage and leak sensitive data from other websites the user visits. The vulnerability requires user interaction—visiting a crafted HTML page—but once triggered, could expose cross-origin information that should remain isolated between websites. This affects Chrome on Windows, macOS, and Linux systems.

  • CVE-2026-11033MEDIUM 6.5

    A memory initialization flaw in Chrome's WebML component on macOS allows attackers to steal sensitive data. When a user visits a malicious webpage, the browser may leak uninitialized memory contents—potentially exposing passwords, tokens, or other private information—without requiring any special user interaction beyond loading the page. The issue affects Chrome versions before 149.0.7827.53 on Apple's macOS.

  • CVE-2026-0046MEDIUM 6.2

    CVE-2026-0046 is a local privilege escalation vulnerability affecting Google Android that exploits a weakness in the InputInterceptor component of Letterbox.java. An attacker can overlay malicious UI elements on top of legitimate permission prompts, tricking users into granting permissions they did not intend to approve. What makes this particularly concerning is that exploitation requires no special system privileges and occurs without user awareness—the victim merely sees what appears to be a normal permission dialog. The result is unauthorized elevation of the attacker's application privileges within the Android system.

  • CVE-2026-0055MEDIUM 6.2

    A path traversal vulnerability in Android's PackageInstallerService allows an attacker to write a Device Policy Controller (DPC) application to an unintended directory. By exploiting this flaw, an unprivileged local process can escalate its privileges without requiring user interaction or additional system permissions. The vulnerability affects multiple Android versions and could allow an attacker with local access to gain elevated capabilities on the device.

  • CVE-2026-10916MEDIUM 6.1

    CVE-2026-10916 is a cross-site scripting vulnerability in Google Chrome's developer tools that allows an attacker to inject malicious scripts or HTML content into a webpage. The attack requires two conditions: first, the attacker must have already compromised Chrome's renderer process (the component that executes web content), and second, the user must be tricked into visiting a specially crafted HTML page. While the initial compromise is a significant prerequisite, once achieved, this vulnerability enables the attacker to execute arbitrary code with the privileges of the browser session, potentially stealing sensitive data or performing actions on behalf of the user.

  • CVE-2026-11034MEDIUM 6.1

    Google Chrome on Android contains a vulnerability in its Tab Group Sync feature that allows attackers to inject malicious scripts or HTML into web pages. An attacker with network access can craft malicious traffic to exploit insufficient input validation, potentially displaying fake content or stealing user information from websites. This affects Chrome versions prior to 149.0.7827.53.

  • CVE-2026-0061MEDIUM 5.9

    CVE-2026-0061 is a privilege escalation vulnerability in Android's WindowState component that allows an attacker to manipulate the permission-granting UI through overlay attacks (tapjacking). By displaying a malicious overlay on top of the system permission dialog, an attacker can trick users into granting sensitive permissions without explicit awareness. The critical aspect is that this requires no special execution privileges and no user interaction in the traditional sense—the attack succeeds through visual deception rather than social engineering or code execution exploits.

  • CVE-2026-0075MEDIUM 5.9

    CVE-2026-0075 is a SQL injection vulnerability in Google Android's contact database access functions that allows local attackers to escalate privileges without needing special permissions or user interaction. An attacker with local access to an Android device can exploit this flaw to read, modify, or delete contact information and potentially gain elevated system privileges.

  • CVE-2025-48648MEDIUM 5.5

    CVE-2025-48648 is a denial-of-service vulnerability in Android's NotificationManagerService that allows a local attacker to exhaust system resources and crash the notification service. An attacker with basic user privileges can trigger this flaw without user interaction, causing persistent disruption to the device's notification functionality.