By vendor

Google vulnerabilities

Known CVEs affecting Google products, prioritized by severity, with SEC.co remediation and detection guidance.

649 published vulnerabilities · page 7 of 7

  • CVE-2026-11274MEDIUM 4.3

    A flaw in Google Chrome's DOM Distiller component on iOS allows attackers to bypass navigation restrictions through a specially crafted web page. The vulnerability requires user interaction to trigger—specifically, the victim must visit or interact with a malicious page. The impact is limited to breaking navigation boundaries; no data theft or system crashes are involved. Chrome versions prior to 149.0.7827.53 on iOS are affected.

  • CVE-2026-11277MEDIUM 4.3

    A vulnerability in Chrome for iOS allows an attacker to bypass certain access controls through a specially crafted HTML page. The issue stems from insufficient enforcement of security policies in the iOS version of Chrome. An attacker would need to trick a user into visiting a malicious webpage, but no special user privileges are required and the attack is straightforward to execute. The primary risk is unauthorized modification of data or application behavior—not data theft or system crashes.

  • CVE-2026-11280MEDIUM 4.3

    A flaw in Google Chrome's sign-in interface on iOS allows an attacker to trick users with a fake login screen. By crafting a malicious web page, an attacker could make it appear that a legitimate Chrome sign-in prompt is appearing, potentially deceiving users into entering credentials or sensitive information. The vulnerability requires user interaction—visiting a crafted page—but does not require authentication or special privileges to attempt. While Google classifies this at low severity internally, the CVSS score reflects medium risk due to the integrity impact of potential credential theft or trust erosion.

  • CVE-2026-11285MEDIUM 4.3

    Google Chrome on iOS versions before 149.0.7827.53 contain a flaw that allows attackers to trick users with fake, spoofed user interface elements embedded in malicious web pages. An attacker would need to convince a user to visit a crafted HTML page, but no special privileges are required and the attack can be delivered over the network. The vulnerability does not compromise data confidentiality or availability, but could deceive users about what they are viewing or interacting with.

  • CVE-2026-11286MEDIUM 4.3

    A flaw in Google Chrome's Wallet component allows attackers who have already compromised a browser's renderer process to trick users with fake UI elements displayed on a web page. This requires the attacker to first gain control of the renderer—the part of the browser that displays web content—which is a significant prerequisite but not impossible in real-world scenarios where other vulnerabilities or social engineering may be chained together.

  • CVE-2026-11291MEDIUM 4.3

    A flaw in how Google Chrome handles autofill on Android devices allows an attacker to craft a malicious webpage that can bypass the browser's same-origin policy protections. By tricking a user into visiting their page, an attacker could potentially manipulate how Chrome autofills data in unexpected ways. Google rates this as low severity internally, though the CVSS score reflects it as medium risk due to the user interaction required and limited scope of potential impact.

  • CVE-2026-11292MEDIUM 4.3

    Google Chrome versions before 149.0.7827.53 contain a flaw in the Blink rendering engine that allows attackers to bypass Content Security Policy (CSP) protections through a specially crafted webpage. An attacker would need to trick a user into visiting a malicious site, where the weakness could enable injection of unintended content or scripts that CSP was supposed to prevent. While Chromium rates this as low severity, the CVSS score reflects moderate impact potential because CSP bypass can lead to unauthorized modifications of page behavior.

  • CVE-2026-11294MEDIUM 4.3

    Google Chrome versions prior to 149.0.7827.53 contain a flaw in password handling that allows attackers to create fake or misleading login screens through specially crafted web pages. An attacker would need to trick a user into visiting a malicious website, but once there, the browser's UI protections don't adequately prevent visual deception. This is not an authentication bypass—it's a user interface trick that could mislead people about whether they're interacting with legitimate Chrome UI or attacker-controlled content.

  • CVE-2026-11298MEDIUM 4.3

    A vulnerability in Google Chrome for iOS allows attackers to bypass the same-origin policy—a critical security boundary that prevents websites from accessing data belonging to other sites—by tricking users into visiting a specially crafted webpage. The flaw affects Chrome versions before 149.0.7827.53 on iPhones and iPads. While the Chromium project rated this as low severity, the CVSS score reflects a medium severity due to the potential for information disclosure or unauthorized content modification in cross-origin contexts.

  • CVE-2026-11300MEDIUM 4.3

    Google Chrome versions before 149.0.7827.53 contain a flaw in how it handles permissions that allows an attacker to trick users with a specially crafted web page. The attack doesn't steal data or crash the browser—instead, it displays fake permission dialogs or UI elements that might convince a user to grant access they shouldn't. The attacker needs the victim to visit the malicious page, but no special user configuration is required beforehand.

  • CVE-2026-11302MEDIUM 4.3

    A security flaw in Google Chrome for iOS allows attackers to bypass access controls through a specially crafted web page. The vulnerability requires user interaction—a person must visit the malicious page—but does not require any special privileges or system access to attempt exploitation. While Chromium's internal assessment classified this as low severity, the CVSS score of 4.3 reflects moderate concern, primarily because it can lead to unauthorized actions or changes within the browser's trust model, though it does not expose sensitive data or crash the application.

  • CVE-2026-11309MEDIUM 4.3

    Google Chrome versions before 149.0.7827.53 contain a flaw in how the browser enforces policies for the History feature. An attacker can craft a deceptive webpage that tricks users into believing they're interacting with legitimate browser UI elements or content. While the vulnerability requires user interaction and doesn't directly expose sensitive data or crash the browser, the spoofing capability could be weaponized in social engineering campaigns to steal credentials or manipulate user behavior.

  • CVE-2026-11665MEDIUM 4.3

    A flaw in Google Chrome's graphics rendering engine (Dawn) on Windows could allow an attacker to trick a user into visiting a malicious webpage that leaks sensitive data from other websites the user is logged into. The vulnerability requires user interaction—the user must visit the crafted page—but does not require any special permissions or complex attack setup. The leaked data is limited in scope and does not include the ability to modify or destroy information.

  • CVE-2026-11668MEDIUM 4.3

    Google Chrome and Chrome OS contain a weakness in their video codec processing that could allow a remote attacker to steal data from other websites. The flaw stems from uninitialized memory in the codec layer—essentially, the browser fails to properly initialize certain memory regions before use. An attacker can craft a malicious video file that, when opened by a user, exploits this memory state to read sensitive information across security boundaries. The vulnerability affects Chrome on Linux and Chrome OS versions prior to 149.0.7827.103.

  • CVE-2026-11685MEDIUM 4.3

    Google Chrome on macOS contains a flaw in how it handles media capture permissions that could allow an attacker to trick you into revealing data meant to be private to a specific website. By crafting a malicious webpage, an attacker can bypass Chrome's protections and leak information across website boundaries—essentially stealing data that should stay isolated to one origin. The vulnerability requires user interaction, such as visiting a malicious page, but does not require special privileges or system-level access.

  • CVE-2026-11695MEDIUM 4.3

    Google Chrome prior to version 149.0.7827.103 contains a flaw in its password handling logic that could allow an attacker to leak sensitive data across website boundaries. An attacker would need to craft a malicious HTML page and convince a user to visit it, but the vulnerability itself does not require the user to take additional actions beyond normal browsing. The leaked data is restricted to information accessible within the browser context of the affected user.

  • CVE-2026-9907MEDIUM 4.3

    A memory read vulnerability in Google Chrome's Dawn graphics component allows attackers to access sensitive data from different website origins. An attacker can craft a malicious web page that, when visited by a user, tricks Chrome into reading memory beyond intended boundaries and leaking information from other websites the user may have open. This affects Windows systems running Chrome versions prior to 148.0.7778.216.

  • CVE-2026-9911MEDIUM 4.3

    CVE-2026-9911 is a memory safety issue in the ANGLE graphics library used by Google Chrome. When a user visits a specially crafted webpage, an attacker can read small amounts of sensitive data from the browser's memory. The vulnerability requires user interaction—visiting the malicious page—but needs no special permissions or browser configuration to exploit. While the data exposure is limited in scope, it could leak sensitive information like passwords, tokens, or cached credentials stored in memory.

  • CVE-2026-9913MEDIUM 4.3

    A flaw in the ANGLE graphics library component of Google Chrome prior to version 148.0.7778.216 could allow an attacker to access memory outside intended bounds when a user visits a malicious website. The vulnerability requires user interaction (visiting a crafted page) but does not require special privileges. Potential impacts include disclosure of sensitive information, though the attacker cannot modify data or crash the browser directly through this flaw.

  • CVE-2026-9919MEDIUM 4.3

    A WebGL processing flaw in Google Chrome for Android allows attackers to read data they shouldn't have access to by tricking users into visiting a malicious webpage. The vulnerability exists in how Chrome handles certain graphics operations and can leak information across website boundaries, but only affects the Android version of Chrome and requires user interaction to exploit.

  • CVE-2026-9921MEDIUM 4.3

    Google Chrome on Android contains a flaw in its WebGL graphics processing where memory buffers may not be properly initialized before use. An attacker can exploit this by crafting a malicious HTML page that, when visited, allows them to read sensitive information from other websites—a cross-origin data leak. The vulnerability requires user interaction (clicking a link or viewing a page) but does not require special privileges or complex attack setup.

  • CVE-2026-9929MEDIUM 4.3

    A flaw in how Google Chrome on Android handles WebGL—a technology that enables 3D graphics in web browsers—could allow an attacker to trick a user into visiting a malicious webpage and expose data from other websites the user has open. The attacker cannot force this to happen; the user must interact with the page, such as by clicking or scrolling. This is a cross-origin data leak, meaning sensitive information from one domain could become visible to JavaScript code running on an attacker's domain.

  • CVE-2026-9930MEDIUM 4.3

    An out-of-bounds write vulnerability exists in the Dawn graphics component of Google Chrome on macOS. An attacker can craft a malicious HTML page that, when viewed by a user, writes data to memory locations outside the intended bounds of a buffer. This memory corruption could allow an attacker to modify sensitive data or potentially achieve code execution, though the CVSS assessment indicates the integrity impact is limited. The vulnerability requires user interaction—the victim must visit or be directed to the malicious page—and affects Chrome versions prior to 148.0.7778.216 on macOS.

  • CVE-2026-9935MEDIUM 4.3

    CVE-2026-9935 is a memory safety issue in Google Chrome's ANGLE graphics library that allows attackers to steal sensitive data from other websites. When you visit a malicious webpage, an attacker can craft it to leak information that should be isolated to other sites you have open. The vulnerability requires user interaction—you must visit the attack page—but the bar for exploitation is otherwise low. Google has classified this as High severity internally, though the CVSS score reflects a more limited scope.

  • CVE-2026-9943MEDIUM 4.3

    A memory access flaw in Google Chrome's WebGL implementation on Android allows attackers to read data from other websites through a specially crafted web page. When a user visits the malicious page, the attacker can extract information (such as authentication tokens, session cookies, or sensitive content) from sites the user is logged into. This is a cross-origin data leak—meaning the attacker can access information meant to be isolated to other domains.

  • CVE-2026-9955MEDIUM 4.3

    A vulnerability in Google Chrome on iOS versions before 148.0.7778.216 allows attackers to extract sensitive information from websites the user visits. An attacker would craft a malicious webpage and trick a user into visiting it; the page can then read data intended to be private to other websites. This is a cross-origin data leak—a violation of the browser's same-origin policy that normally prevents websites from accessing each other's information.

  • CVE-2026-9986MEDIUM 4.2

    CVE-2026-9986 is a UI spoofing vulnerability in Google Chrome's OptimizationGuide component that could let an attacker deceive users about what they're seeing on a webpage. The vulnerability requires the attacker to have already compromised Chrome's rendering process—the engine that draws web content. While this limits the immediate attack scope, it represents a meaningful escalation risk for adversaries who have achieved code execution in that sandboxed component. The flaw stems from inadequate validation of user-supplied input before it's used to generate on-screen elements.

  • CVE-2026-10998MEDIUM 4.0

    CVE-2026-10998 is a memory safety issue in Google Chrome's media handling code that allows an attacker positioned on the same local network to read data from memory locations they shouldn't have access to. The vulnerability exists in Chrome versions before 149.0.7827.53. An attacker would need to send specially crafted network traffic to trigger an out-of-bounds read, which could potentially expose sensitive information resident in the browser's memory. This is a local-network-only threat, meaning the attacker must be on your network segment to exploit it.

  • CVE-2026-28581MEDIUM 4.0

    A logic error in Android's call processing code allows an application to initiate emergency calls without proper authorization checks. The vulnerability stems from inadequate validation in the CallIntentProcessor when determining the initiating user, potentially enabling an app to trigger emergency dialing functionality that should be restricted. No user interaction is required for exploitation, and the issue affects multiple Android versions.

  • CVE-2025-48616LOW 3.3

    CVE-2025-48616 is a logic error in Android's KeyguardViewMediator that allows a local attacker with basic user privileges to bypass lockdown mode when screen pinning is active, potentially exposing sensitive information on the device. The vulnerability requires no user interaction and poses a localized risk to data confidentiality on affected Android devices.

  • CVE-2026-0016LOW 3.3

    A permissions validation flaw in Android's credential management system allows a local attacker with limited user privileges to read sensitive information across other user accounts without special permissions or user interaction. The vulnerability resides in how the system handles credential provider updates when services are removed, creating a bypass that exposes data intended to be isolated between users.

  • CVE-2026-0050LOW 3.3

    CVE-2026-0050 is a local information disclosure vulnerability in Android's Bluetooth adapter service. A malicious app with basic user-level permissions can bypass security checks in the handleBondStateChanged function to read sensitive Bluetooth-related information without requiring additional privileges or user interaction. The impact is limited to information disclosure; the attacker cannot modify data or crash the system.

  • CVE-2026-0056LOW 3.3

    CVE-2026-0056 is a memory safety issue in Android's ResourceTypes.cpp component where an incorrect bounds check allows a local process to read data outside intended memory boundaries. This flaw exposes sensitive information resident in adjacent memory to any app with basic local access—no special permissions, elevated privileges, or user interaction required. The vulnerability is classified as low severity due to its limited scope and local-only nature.

  • CVE-2026-21034LOW 3.3

    Samsung Auto versions prior to 3.1.2.61 (Android 15) and 3.2.0.38 (Android 16) contain a flaw that improperly exposes application components. A local attacker with user-level access can exploit this exposure to modify audio settings without user consent. The vulnerability is rated LOW severity and does not affect confidentiality or system availability, only the integrity of audio configuration.

  • CVE-2026-28586LOW 3.3

    CVE-2026-28586 is a local information disclosure vulnerability in Android's AppOpsService that allows an already-authenticated user to bypass permission checks and read sensitive data they shouldn't have access to. The flaw requires the attacker to already have a local account on the device; there's no way to exploit it remotely. The exposure is classified as low-severity because the data leaked is limited and no system functions are disrupted.

  • CVE-2026-10011LOW 3.1

    A flaw in Chrome's Skia graphics library could allow an attacker who has already compromised Chrome's renderer process to extract sensitive data from websites you visit. The attacker would need to serve you a specially crafted web page to perform the attack. While the underlying issue received a High severity rating from Chromium, the overall exploitability is limited because it requires both renderer compromise and user interaction, making it a low-risk vulnerability in practical terms.

  • CVE-2026-11240LOW 3.1

    CVE-2026-11240 is a low-severity input validation flaw in Google Chrome's Loader component that allows a remote attacker to bypass the browser's site isolation security feature, but only if they have already compromised the renderer process. Site isolation is Chrome's defense mechanism that runs each website in a separate process to prevent one compromised site from accessing data from another. An attacker would need to deliver a specially crafted HTML page to exploit this, making it a post-compromise risk rather than a direct remote code execution vector. The vulnerability affects Chrome versions prior to 149.0.7827.53.

  • CVE-2026-11244LOW 3.1

    CVE-2026-11244 is a low-severity flaw in Google Chrome's WebAuthentication feature that allows inadequate validation of user-supplied input. An attacker with prior access to Chrome's renderer process—the component responsible for displaying web pages—could craft a malicious HTML page to circumvent the browser's same-origin policy, a fundamental security boundary that prevents scripts from one website accessing data from another. This is not a direct remote code execution and requires both renderer process compromise and user interaction to succeed.

  • CVE-2026-11247LOW 3.1

    A flaw in Google Chrome's CustomTabs feature on Android allows an attacker to leak data across website boundaries through a specially crafted webpage. The vulnerability requires user interaction and is difficult to exploit, affecting Android devices running Chrome versions before 149.0.7827.53. While the risk is low, it represents a potential privacy leak in a widely used mobile browser component.

  • CVE-2026-11251LOW 3.1

    A flaw in Chrome's password manager allows a sophisticated attacker to read stored password information if they can first compromise Chrome's renderer process through a malicious web page. The vulnerability requires multiple conditions to exploit: the attacker must already control the rendering engine, the user must interact with the page, and the attack surface is limited to sensitive credential disclosure. Chrome versions before 149.0.7827.53 are affected. This is not a zero-click issue and does not allow code execution or system-level access.

  • CVE-2026-11675LOW 3.1

    Google Chrome contained a memory reading vulnerability in its Skia graphics library that could allow an attacker to steal sensitive data from other websites. The attacker would first need to compromise Chrome's renderer process—the sandboxed component that handles web page rendering—and then trick a user into visiting a specially crafted webpage. If successful, the flaw could leak cross-origin data, meaning information from a different website than the one the user thought they were visiting. This vulnerability affects Chrome versions prior to 149.0.7827.103 across Windows, macOS, and Linux systems.

  • CVE-2026-11684LOW 3.1

    A policy enforcement gap in Google Chrome's Network component allowed attackers who had already compromised Chrome's utility process to steal cross-origin data by serving a specially crafted HTML page. This is a post-compromise attack where the attacker has already gained some level of access to the browser process itself, then exploits this weakness to read data that should be isolated between different websites.

  • CVE-2026-11686LOW 3.1

    A flaw in Google Chrome's Dawn graphics library on macOS allows an attacker who has already compromised the browser's renderer process to trick the system into leaking data from other websites. The vulnerability requires the attacker to already have control over the renderer and the user to interact with a malicious webpage, making it a limited but real risk in scenarios where renderer escapes are already being exploited.

  • CVE-2026-11691LOW 3.1

    Google Chrome contained a flaw in its New Tab Page that could allow attackers who had already compromised Chrome's renderer process to steal data from websites across different origins. The vulnerability required an attacker to have already broken into the renderer—the sandboxed component that runs web content—and then trick a user into visiting a malicious HTML page. While the Chromium security team rated this High severity internally, the calculated CVSS score is Low (3.1) because the attack requires both prior renderer compromise and user interaction.

  • CVE-2026-9920LOW 3.1

    Google Chrome on Android contains a vulnerability in GPU memory handling that could allow an attacker who has already compromised the browser's renderer process to access sensitive data from websites that should be isolated from each other. The vulnerability stems from uninitialized memory in the GPU code path, which under specific conditions could leak cross-origin data through a malicious webpage. This requires the renderer process to be compromised first, making it a secondary exploitation step rather than a direct entry point.

  • CVE-2026-9944LOW 3.1

    CVE-2026-9944 is a memory safety issue in the ANGLE graphics library used by Google Chrome. An attacker who has already compromised Chrome's renderer process can craft a malicious webpage to leak sensitive data from other websites or origins. The vulnerability requires the renderer to be compromised first, limiting the attack surface, but the data leakage potential is real once that initial foothold exists. Chrome versions before 148.0.7778.216 are vulnerable on Windows, macOS, and Linux.

  • CVE-2026-9950LOW 3.1

    A same-origin policy bypass vulnerability exists in Google Chrome on iOS versions prior to 148.0.7778.216. The flaw stems from insufficient validation of untrusted input that allows an attacker who has already compromised Chrome's renderer process to craft a malicious HTML page that circumvents browser security boundaries. This means an attacker could potentially access data or perform actions from a different website origin than the one a user is visiting, but only if the renderer process has already been compromised through another attack vector.

  • CVE-2026-9959LOW 3.1

    A race condition in WebRTC functionality within Google Chrome on Windows allows an attacker to leak data across origin boundaries. The vulnerability requires user interaction (clicking on a crafted HTML page) and is difficult to exploit reliably due to timing constraints. While the underlying issue is rated High severity by Chromium, the CVSS 3.1 score of 3.1 reflects the practical barriers to exploitation and limited scope—an attacker can extract sensitive information, but cannot modify data or disrupt service.

  • CVE-2026-9991LOW 3.1

    A vulnerability in Google Chrome's media handling on Windows allows an attacker who has already compromised the browser's renderer process to extract sensitive data across security boundaries. The attacker would need to host a malicious webpage and trick a user into visiting it while the renderer is already under their control. The exposure is information disclosure—no system takeover or crashes—and the barrier to exploitation is relatively high because the attacker must first achieve renderer compromise.