By vendor

Google vulnerabilities

Known CVEs affecting Google products, prioritized by severity, with SEC.co remediation and detection guidance.

343 published vulnerabilities · page 4 of 4

  • CVE-2026-0060MEDIUM 5.5

    CVE-2026-0060 is a local denial-of-service vulnerability in Android's graphics driver management system. A local attacker with basic user privileges can trigger a persistent crash condition in the GraphicsDriverEnableAngleAsSystemDriverController component, rendering the graphics subsystem unavailable without requiring elevated permissions or user interaction. The issue stems from improper state handling in the updateState method.

  • CVE-2026-0067MEDIUM 5.5

    A logic error in Android's ubsan_throwing_runtime.cpp file can be exploited by a local attacker to permanently deny service to affected devices. The vulnerability requires only basic user-level permissions and no special interaction to trigger, making it a straightforward availability threat for any Android user or administrator managing affected deployments.

  • CVE-2026-0069MEDIUM 5.5

    CVE-2026-0069 is a resource exhaustion vulnerability in Android's signature verification code that allows a local attacker to crash the system without needing special privileges or user interaction. An attacker with basic local access can trigger excessive resource consumption in the APK checksum verification process, causing a denial of service.

  • CVE-2026-0070MEDIUM 5.5

    A flaw in Android's DevicePolicyManagerService allows a local attacker with standard user privileges to hide critical system packages through improper validation of input parameters. This creates a denial-of-service condition by making essential system components inaccessible, potentially rendering the device unstable or non-functional without requiring any special permissions or user interaction.

  • CVE-2026-0074MEDIUM 5.5

    CVE-2026-0074 is a denial-of-service vulnerability in Android's LauncherProcessImageListener component. An attacker with local system access can exhaust device resources through the getPreferredSize function, causing the launcher process to become unresponsive or crash. No special privileges or user interaction are required to trigger the flaw, making it a concern for multi-user devices and environments where untrusted code may run locally.

  • CVE-2026-0079MEDIUM 5.5

    CVE-2026-0079 is a denial-of-service vulnerability in Android's ubsan_throwing_runtime.cpp component. An integer overflow flaw allows a local attacker to crash or hang affected systems persistently without requiring elevated privileges or user interaction. The vulnerability resides in multiple functions within the runtime component responsible for undefined behavior sanitization, making it accessible to processes running with standard user permissions.

  • CVE-2026-0085MEDIUM 5.5

    A flaw in Android's contact data handling allows a local attacker to crash the system by inserting an unusually large contact name. The vulnerability exists in the DataRowHandler component, which fails to properly validate the size of contact name input before processing it. Because the attack requires only local access and no special privileges, any app on a compromised device could trigger the denial of service without user interaction.

  • CVE-2026-28578MEDIUM 5.5

    A flaw in Android's device policy management system allows a local attacker to cause the device to become unstable or unresponsive by exploiting improper input validation in DevicePolicyManagerService. An attacker with basic user-level access can trigger this issue without user interaction, potentially disrupting device functionality. This is a local denial-of-service vulnerability with no remote attack vector.

  • CVE-2026-10984MEDIUM 5.4

    Google Chrome on Android contains a flaw in how it handles accessibility features that allows attackers to trick users with a fake interface. By hosting a malicious webpage, an attacker can make Chrome display misleading or fraudulent content that mimics legitimate UI elements, potentially deceiving users into performing unintended actions. The vulnerability requires user interaction—specifically, a user must visit the crafted page—but does not require special privileges or complex setup.

  • CVE-2026-9971MEDIUM 5.4

    A vulnerability in Google Chrome on iOS allows attackers to inject malicious scripts or HTML code into web pages when a user performs specific interactions with the browser. An attacker would need to craft a deceptive webpage and convince a user to engage with it in particular ways—such as specific taps or gestures—to trigger the injection. Once successful, the attacker gains the ability to run arbitrary code in the context of the webpage, potentially stealing data or modifying what the user sees.

  • CVE-2026-11004MEDIUM 5.3

    CVE-2026-11004 is a memory disclosure vulnerability in Google Chrome's ANGLE graphics library. An attacker who has already compromised Chrome's renderer process can craft a malicious HTML page to read sensitive data from the browser's memory. While this requires prior compromise of the renderer, the ability to extract potentially sensitive information makes it a meaningful security concern for organizations running Chrome.

  • CVE-2026-11005MEDIUM 5.3

    A flaw in ANGLE, the graphics abstraction layer used by Google Chrome on Windows, allows a remote attacker to read sensitive data from Chrome's renderer process memory. The attacker must first compromise the renderer process and trick a user into visiting a malicious webpage. Once those conditions are met, the attacker can extract potentially sensitive information from memory that they shouldn't have access to. This is an out-of-bounds read vulnerability—the code accesses memory locations it wasn't intended to reach.

  • CVE-2026-9985MEDIUM 5.3

    A flaw in Google Chrome and ChromeOS allows an attacker who has already compromised the browser's renderer process to read sensitive data from the browser's memory by tricking a user into viewing a malicious webpage. The vulnerability stems from insufficient validation of media-related input. While this requires an initial renderer compromise, it can expose information that should have remained private within the browser process.

  • CVE-2026-10010MEDIUM 5.0

    Google Chrome on Android versions prior to 148.0.7778.216 contain a vulnerability in input handling that allows an attacker who has already compromised Chrome's renderer process to bypass site isolation protections through a specially crafted HTML page. Site isolation is a critical Chrome security boundary designed to keep sensitive data from different websites separate in memory. This flaw undermines that protection, though it requires the attacker to have already gained code execution within the browser engine itself.

  • CVE-2026-9903MEDIUM 5.0

    Google Chrome versions prior to 148.0.7778.216 contain a vulnerability in Site Isolation, a security feature designed to prevent malicious websites from accessing data from other sites you visit. An attacker who has already compromised Chrome's renderer process—the part that interprets web content—can craft a specially designed MHTML file (a web archive format) that bypasses this protection. This requires the attacker to have gained initial access to the renderer process and the user to open the malicious file, but if successful, it could allow unauthorized access to sensitive information across site boundaries.

  • CVE-2026-9942MEDIUM 5.0

    CVE-2026-9942 is a memory safety issue in ANGLE, the graphics abstraction layer used by Google Chrome. When a remote attacker has already compromised Chrome's renderer process, they can exploit this uninitialized memory condition to break out of Chrome's site isolation sandbox using a specially crafted HTML page. Site isolation is Chrome's primary defense against cross-site data theft; bypassing it allows an attacker to read data from other websites the user is visiting. This requires the renderer process to be already compromised, meaning it is a post-compromise escalation rather than an entry point.

  • CVE-2026-9979MEDIUM 5.0

    CVE-2026-9979 is a site isolation bypass vulnerability in Google Chrome that allows an attacker to escape the security boundary between different websites if they have already compromised Chrome's rendering engine. An attacker would need to trick a user into visiting a malicious HTML page while the renderer process is already under their control. Site isolation is Chrome's core defense mechanism that prevents one website's scripts from accessing another website's data; this vulnerability undermines that protection in a limited but serious scenario.

  • CVE-2026-9980MEDIUM 5.0

    Google Chrome versions before 148.0.7778.216 contain a flaw in how it validates input when printing documents. An attacker who has already compromised Chrome's rendering engine can exploit this to bypass Site Isolation, a security boundary that separates data between websites. This requires both a prior compromise of the renderer process and user interaction, making it a secondary attack in a chain rather than a standalone entry point.

  • CVE-2026-11031MEDIUM 4.3

    Google Chrome's Password Manager fails to properly validate input from network traffic before displaying it to users. An attacker can craft malicious network data that tricks the Password Manager interface into showing fake or misleading information—for example, a phishing prompt that looks legitimate. This affects Chrome versions before 149.0.7827.53 on Windows, macOS, and Linux.

  • CVE-2026-9907MEDIUM 4.3

    A memory read vulnerability in Google Chrome's Dawn graphics component allows attackers to access sensitive data from different website origins. An attacker can craft a malicious web page that, when visited by a user, tricks Chrome into reading memory beyond intended boundaries and leaking information from other websites the user may have open. This affects Windows systems running Chrome versions prior to 148.0.7778.216.

  • CVE-2026-9911MEDIUM 4.3

    CVE-2026-9911 is a memory safety issue in the ANGLE graphics library used by Google Chrome. When a user visits a specially crafted webpage, an attacker can read small amounts of sensitive data from the browser's memory. The vulnerability requires user interaction—visiting the malicious page—but needs no special permissions or browser configuration to exploit. While the data exposure is limited in scope, it could leak sensitive information like passwords, tokens, or cached credentials stored in memory.

  • CVE-2026-9913MEDIUM 4.3

    A flaw in the ANGLE graphics library component of Google Chrome prior to version 148.0.7778.216 could allow an attacker to access memory outside intended bounds when a user visits a malicious website. The vulnerability requires user interaction (visiting a crafted page) but does not require special privileges. Potential impacts include disclosure of sensitive information, though the attacker cannot modify data or crash the browser directly through this flaw.

  • CVE-2026-9919MEDIUM 4.3

    A WebGL processing flaw in Google Chrome for Android allows attackers to read data they shouldn't have access to by tricking users into visiting a malicious webpage. The vulnerability exists in how Chrome handles certain graphics operations and can leak information across website boundaries, but only affects the Android version of Chrome and requires user interaction to exploit.

  • CVE-2026-9921MEDIUM 4.3

    Google Chrome on Android contains a flaw in its WebGL graphics processing where memory buffers may not be properly initialized before use. An attacker can exploit this by crafting a malicious HTML page that, when visited, allows them to read sensitive information from other websites—a cross-origin data leak. The vulnerability requires user interaction (clicking a link or viewing a page) but does not require special privileges or complex attack setup.

  • CVE-2026-9929MEDIUM 4.3

    A flaw in how Google Chrome on Android handles WebGL—a technology that enables 3D graphics in web browsers—could allow an attacker to trick a user into visiting a malicious webpage and expose data from other websites the user has open. The attacker cannot force this to happen; the user must interact with the page, such as by clicking or scrolling. This is a cross-origin data leak, meaning sensitive information from one domain could become visible to JavaScript code running on an attacker's domain.

  • CVE-2026-9930MEDIUM 4.3

    An out-of-bounds write vulnerability exists in the Dawn graphics component of Google Chrome on macOS. An attacker can craft a malicious HTML page that, when viewed by a user, writes data to memory locations outside the intended bounds of a buffer. This memory corruption could allow an attacker to modify sensitive data or potentially achieve code execution, though the CVSS assessment indicates the integrity impact is limited. The vulnerability requires user interaction—the victim must visit or be directed to the malicious page—and affects Chrome versions prior to 148.0.7778.216 on macOS.

  • CVE-2026-9935MEDIUM 4.3

    CVE-2026-9935 is a memory safety issue in Google Chrome's ANGLE graphics library that allows attackers to steal sensitive data from other websites. When you visit a malicious webpage, an attacker can craft it to leak information that should be isolated to other sites you have open. The vulnerability requires user interaction—you must visit the attack page—but the bar for exploitation is otherwise low. Google has classified this as High severity internally, though the CVSS score reflects a more limited scope.

  • CVE-2026-9943MEDIUM 4.3

    A memory access flaw in Google Chrome's WebGL implementation on Android allows attackers to read data from other websites through a specially crafted web page. When a user visits the malicious page, the attacker can extract information (such as authentication tokens, session cookies, or sensitive content) from sites the user is logged into. This is a cross-origin data leak—meaning the attacker can access information meant to be isolated to other domains.

  • CVE-2026-9955MEDIUM 4.3

    A vulnerability in Google Chrome on iOS versions before 148.0.7778.216 allows attackers to extract sensitive information from websites the user visits. An attacker would craft a malicious webpage and trick a user into visiting it; the page can then read data intended to be private to other websites. This is a cross-origin data leak—a violation of the browser's same-origin policy that normally prevents websites from accessing each other's information.

  • CVE-2026-9986MEDIUM 4.2

    CVE-2026-9986 is a UI spoofing vulnerability in Google Chrome's OptimizationGuide component that could let an attacker deceive users about what they're seeing on a webpage. The vulnerability requires the attacker to have already compromised Chrome's rendering process—the engine that draws web content. While this limits the immediate attack scope, it represents a meaningful escalation risk for adversaries who have achieved code execution in that sandboxed component. The flaw stems from inadequate validation of user-supplied input before it's used to generate on-screen elements.

  • CVE-2026-10998MEDIUM 4.0

    CVE-2026-10998 is a memory safety issue in Google Chrome's media handling code that allows an attacker positioned on the same local network to read data from memory locations they shouldn't have access to. The vulnerability exists in Chrome versions before 149.0.7827.53. An attacker would need to send specially crafted network traffic to trigger an out-of-bounds read, which could potentially expose sensitive information resident in the browser's memory. This is a local-network-only threat, meaning the attacker must be on your network segment to exploit it.

  • CVE-2026-28581MEDIUM 4.0

    A logic error in Android's call processing code allows an application to initiate emergency calls without proper authorization checks. The vulnerability stems from inadequate validation in the CallIntentProcessor when determining the initiating user, potentially enabling an app to trigger emergency dialing functionality that should be restricted. No user interaction is required for exploitation, and the issue affects multiple Android versions.

  • CVE-2025-48616LOW 3.3

    CVE-2025-48616 is a logic error in Android's KeyguardViewMediator that allows a local attacker with basic user privileges to bypass lockdown mode when screen pinning is active, potentially exposing sensitive information on the device. The vulnerability requires no user interaction and poses a localized risk to data confidentiality on affected Android devices.

  • CVE-2026-0016LOW 3.3

    A permissions validation flaw in Android's credential management system allows a local attacker with limited user privileges to read sensitive information across other user accounts without special permissions or user interaction. The vulnerability resides in how the system handles credential provider updates when services are removed, creating a bypass that exposes data intended to be isolated between users.

  • CVE-2026-0050LOW 3.3

    CVE-2026-0050 is a local information disclosure vulnerability in Android's Bluetooth adapter service. A malicious app with basic user-level permissions can bypass security checks in the handleBondStateChanged function to read sensitive Bluetooth-related information without requiring additional privileges or user interaction. The impact is limited to information disclosure; the attacker cannot modify data or crash the system.

  • CVE-2026-0056LOW 3.3

    CVE-2026-0056 is a memory safety issue in Android's ResourceTypes.cpp component where an incorrect bounds check allows a local process to read data outside intended memory boundaries. This flaw exposes sensitive information resident in adjacent memory to any app with basic local access—no special permissions, elevated privileges, or user interaction required. The vulnerability is classified as low severity due to its limited scope and local-only nature.

  • CVE-2026-28586LOW 3.3

    CVE-2026-28586 is a local information disclosure vulnerability in Android's AppOpsService that allows an already-authenticated user to bypass permission checks and read sensitive data they shouldn't have access to. The flaw requires the attacker to already have a local account on the device; there's no way to exploit it remotely. The exposure is classified as low-severity because the data leaked is limited and no system functions are disrupted.

  • CVE-2026-10011LOW 3.1

    A flaw in Chrome's Skia graphics library could allow an attacker who has already compromised Chrome's renderer process to extract sensitive data from websites you visit. The attacker would need to serve you a specially crafted web page to perform the attack. While the underlying issue received a High severity rating from Chromium, the overall exploitability is limited because it requires both renderer compromise and user interaction, making it a low-risk vulnerability in practical terms.

  • CVE-2026-9920LOW 3.1

    Google Chrome on Android contains a vulnerability in GPU memory handling that could allow an attacker who has already compromised the browser's renderer process to access sensitive data from websites that should be isolated from each other. The vulnerability stems from uninitialized memory in the GPU code path, which under specific conditions could leak cross-origin data through a malicious webpage. This requires the renderer process to be compromised first, making it a secondary exploitation step rather than a direct entry point.

  • CVE-2026-9944LOW 3.1

    CVE-2026-9944 is a memory safety issue in the ANGLE graphics library used by Google Chrome. An attacker who has already compromised Chrome's renderer process can craft a malicious webpage to leak sensitive data from other websites or origins. The vulnerability requires the renderer to be compromised first, limiting the attack surface, but the data leakage potential is real once that initial foothold exists. Chrome versions before 148.0.7778.216 are vulnerable on Windows, macOS, and Linux.

  • CVE-2026-9950LOW 3.1

    A same-origin policy bypass vulnerability exists in Google Chrome on iOS versions prior to 148.0.7778.216. The flaw stems from insufficient validation of untrusted input that allows an attacker who has already compromised Chrome's renderer process to craft a malicious HTML page that circumvents browser security boundaries. This means an attacker could potentially access data or perform actions from a different website origin than the one a user is visiting, but only if the renderer process has already been compromised through another attack vector.

  • CVE-2026-9959LOW 3.1

    A race condition in WebRTC functionality within Google Chrome on Windows allows an attacker to leak data across origin boundaries. The vulnerability requires user interaction (clicking on a crafted HTML page) and is difficult to exploit reliably due to timing constraints. While the underlying issue is rated High severity by Chromium, the CVSS 3.1 score of 3.1 reflects the practical barriers to exploitation and limited scope—an attacker can extract sensitive information, but cannot modify data or disrupt service.

  • CVE-2026-9991LOW 3.1

    A vulnerability in Google Chrome's media handling on Windows allows an attacker who has already compromised the browser's renderer process to extract sensitive data across security boundaries. The attacker would need to host a malicious webpage and trick a user into visiting it while the renderer is already under their control. The exposure is information disclosure—no system takeover or crashes—and the barrier to exploitation is relatively high because the attacker must first achieve renderer compromise.