By vendor
Google vulnerabilities
Known CVEs affecting Google products, prioritized by severity, with SEC.co remediation and detection guidance.
224 published vulnerabilities · page 3 of 3
- CVE-2026-0018MEDIUM 5.5
CVE-2026-0018 is a denial-of-service vulnerability in Android's AccessibilityManagerService that allows a local attacker with user-level privileges to crash or hang the accessibility subsystem persistently. No special permissions, code execution, or user interaction are required to trigger the flaw—an authenticated local process can simply send malformed input to designated service functions that fail to properly validate their parameters. This could degrade or disable accessibility features for affected users.
- CVE-2026-0042MEDIUM 5.5
CVE-2026-0042 is a resource exhaustion vulnerability in Google Android's UBSan runtime component that allows a local attacker to cause a persistent denial of service. An attacker with basic user-level access can trigger the flaw without user interaction, exhausting system resources and rendering the device unavailable. The vulnerability does not enable unauthorized access or data theft—only availability disruption.
- CVE-2026-0043MEDIUM 5.5
CVE-2026-0043 is a medium-severity integer overflow vulnerability in Android's UBSan runtime library that can cause a persistent denial of service and local privilege escalation. The flaw resides in multiple functions within ubsan_throwing_runtime.cpp and requires only local access to exploit—no special privileges or user interaction are needed. Once triggered, the integer overflow can exhaust system resources or corrupt memory state, denying service to the affected device or enabling an attacker to elevate their privileges locally.
- CVE-2026-0060MEDIUM 5.5
CVE-2026-0060 is a local denial-of-service vulnerability in Android's graphics driver management system. A local attacker with basic user privileges can trigger a persistent crash condition in the GraphicsDriverEnableAngleAsSystemDriverController component, rendering the graphics subsystem unavailable without requiring elevated permissions or user interaction. The issue stems from improper state handling in the updateState method.
- CVE-2026-0067MEDIUM 5.5
A logic error in Android's ubsan_throwing_runtime.cpp file can be exploited by a local attacker to permanently deny service to affected devices. The vulnerability requires only basic user-level permissions and no special interaction to trigger, making it a straightforward availability threat for any Android user or administrator managing affected deployments.
- CVE-2026-0069MEDIUM 5.5
CVE-2026-0069 is a resource exhaustion vulnerability in Android's signature verification code that allows a local attacker to crash the system without needing special privileges or user interaction. An attacker with basic local access can trigger excessive resource consumption in the APK checksum verification process, causing a denial of service.
- CVE-2026-0070MEDIUM 5.5
A flaw in Android's DevicePolicyManagerService allows a local attacker with standard user privileges to hide critical system packages through improper validation of input parameters. This creates a denial-of-service condition by making essential system components inaccessible, potentially rendering the device unstable or non-functional without requiring any special permissions or user interaction.
- CVE-2026-0074MEDIUM 5.5
CVE-2026-0074 is a denial-of-service vulnerability in Android's LauncherProcessImageListener component. An attacker with local system access can exhaust device resources through the getPreferredSize function, causing the launcher process to become unresponsive or crash. No special privileges or user interaction are required to trigger the flaw, making it a concern for multi-user devices and environments where untrusted code may run locally.
- CVE-2026-0079MEDIUM 5.5
CVE-2026-0079 is a denial-of-service vulnerability in Android's ubsan_throwing_runtime.cpp component. An integer overflow flaw allows a local attacker to crash or hang affected systems persistently without requiring elevated privileges or user interaction. The vulnerability resides in multiple functions within the runtime component responsible for undefined behavior sanitization, making it accessible to processes running with standard user permissions.
- CVE-2026-0085MEDIUM 5.5
A flaw in Android's contact data handling allows a local attacker to crash the system by inserting an unusually large contact name. The vulnerability exists in the DataRowHandler component, which fails to properly validate the size of contact name input before processing it. Because the attack requires only local access and no special privileges, any app on a compromised device could trigger the denial of service without user interaction.
- CVE-2026-28578MEDIUM 5.5
A flaw in Android's device policy management system allows a local attacker to cause the device to become unstable or unresponsive by exploiting improper input validation in DevicePolicyManagerService. An attacker with basic user-level access can trigger this issue without user interaction, potentially disrupting device functionality. This is a local denial-of-service vulnerability with no remote attack vector.
- CVE-2026-10984MEDIUM 5.4
Google Chrome on Android contains a flaw in how it handles accessibility features that allows attackers to trick users with a fake interface. By hosting a malicious webpage, an attacker can make Chrome display misleading or fraudulent content that mimics legitimate UI elements, potentially deceiving users into performing unintended actions. The vulnerability requires user interaction—specifically, a user must visit the crafted page—but does not require special privileges or complex setup.
- CVE-2026-11004MEDIUM 5.3
CVE-2026-11004 is a memory disclosure vulnerability in Google Chrome's ANGLE graphics library. An attacker who has already compromised Chrome's renderer process can craft a malicious HTML page to read sensitive data from the browser's memory. While this requires prior compromise of the renderer, the ability to extract potentially sensitive information makes it a meaningful security concern for organizations running Chrome.
- CVE-2026-11005MEDIUM 5.3
A flaw in ANGLE, the graphics abstraction layer used by Google Chrome on Windows, allows a remote attacker to read sensitive data from Chrome's renderer process memory. The attacker must first compromise the renderer process and trick a user into visiting a malicious webpage. Once those conditions are met, the attacker can extract potentially sensitive information from memory that they shouldn't have access to. This is an out-of-bounds read vulnerability—the code accesses memory locations it wasn't intended to reach.
- CVE-2026-10010MEDIUM 5.0
Google Chrome on Android versions prior to 148.0.7778.216 contain a vulnerability in input handling that allows an attacker who has already compromised Chrome's renderer process to bypass site isolation protections through a specially crafted HTML page. Site isolation is a critical Chrome security boundary designed to keep sensitive data from different websites separate in memory. This flaw undermines that protection, though it requires the attacker to have already gained code execution within the browser engine itself.
- CVE-2026-11031MEDIUM 4.3
Google Chrome's Password Manager fails to properly validate input from network traffic before displaying it to users. An attacker can craft malicious network data that tricks the Password Manager interface into showing fake or misleading information—for example, a phishing prompt that looks legitimate. This affects Chrome versions before 149.0.7827.53 on Windows, macOS, and Linux.
- CVE-2026-10998MEDIUM 4.0
CVE-2026-10998 is a memory safety issue in Google Chrome's media handling code that allows an attacker positioned on the same local network to read data from memory locations they shouldn't have access to. The vulnerability exists in Chrome versions before 149.0.7827.53. An attacker would need to send specially crafted network traffic to trigger an out-of-bounds read, which could potentially expose sensitive information resident in the browser's memory. This is a local-network-only threat, meaning the attacker must be on your network segment to exploit it.
- CVE-2026-28581MEDIUM 4.0
A logic error in Android's call processing code allows an application to initiate emergency calls without proper authorization checks. The vulnerability stems from inadequate validation in the CallIntentProcessor when determining the initiating user, potentially enabling an app to trigger emergency dialing functionality that should be restricted. No user interaction is required for exploitation, and the issue affects multiple Android versions.
- CVE-2025-48616LOW 3.3
CVE-2025-48616 is a logic error in Android's KeyguardViewMediator that allows a local attacker with basic user privileges to bypass lockdown mode when screen pinning is active, potentially exposing sensitive information on the device. The vulnerability requires no user interaction and poses a localized risk to data confidentiality on affected Android devices.
- CVE-2026-0016LOW 3.3
A permissions validation flaw in Android's credential management system allows a local attacker with limited user privileges to read sensitive information across other user accounts without special permissions or user interaction. The vulnerability resides in how the system handles credential provider updates when services are removed, creating a bypass that exposes data intended to be isolated between users.
- CVE-2026-0050LOW 3.3
CVE-2026-0050 is a local information disclosure vulnerability in Android's Bluetooth adapter service. A malicious app with basic user-level permissions can bypass security checks in the handleBondStateChanged function to read sensitive Bluetooth-related information without requiring additional privileges or user interaction. The impact is limited to information disclosure; the attacker cannot modify data or crash the system.
- CVE-2026-0056LOW 3.3
CVE-2026-0056 is a memory safety issue in Android's ResourceTypes.cpp component where an incorrect bounds check allows a local process to read data outside intended memory boundaries. This flaw exposes sensitive information resident in adjacent memory to any app with basic local access—no special permissions, elevated privileges, or user interaction required. The vulnerability is classified as low severity due to its limited scope and local-only nature.
- CVE-2026-28586LOW 3.3
CVE-2026-28586 is a local information disclosure vulnerability in Android's AppOpsService that allows an already-authenticated user to bypass permission checks and read sensitive data they shouldn't have access to. The flaw requires the attacker to already have a local account on the device; there's no way to exploit it remotely. The exposure is classified as low-severity because the data leaked is limited and no system functions are disrupted.
- CVE-2026-10011LOW 3.1
A flaw in Chrome's Skia graphics library could allow an attacker who has already compromised Chrome's renderer process to extract sensitive data from websites you visit. The attacker would need to serve you a specially crafted web page to perform the attack. While the underlying issue received a High severity rating from Chromium, the overall exploitability is limited because it requires both renderer compromise and user interaction, making it a low-risk vulnerability in practical terms.