Microsoft published Security Update Guide entries for a broad set of Chromium vulnerabilities affecting browser components including WebRTC, ANGLE, Network, Navigation, Blink, Base, V8, Skia, and WebAudio. The listed issues include multiple use-after-free bugs such as CVE-2026-4445, CVE-2026-4454, CVE-2026-4449, and CVE-2026-4441, as well as a heap buffer overflow in ANGLE (CVE-2026-4448), a heap buffer overflow in WebAudio (CVE-2026-4443), an out-of-bounds read in Skia (CVE-2026-4460), insufficient validation of untrusted input in Navigation (CVE-2026-4451), and an inappropriate implementation flaw in V8 (CVE-2026-4461).
The same set of advisories also included non-Chromium entries tied to lower-level platform components: CVE-2026-4438 for gethostbyaddr and gethostbyaddr_r returning invalid DNS hostnames, CVE-2025-71267 for an ntfs3 infinite loop triggered by a zero-sized ATTR_LIST, and CVE-2026-23233 for an f2fs fix to avoid mapping the wrong physical block for a swapfile. Together, the disclosures show Microsoft tracking both browser-engine memory-corruption risks and underlying filesystem and networking defects through its update pipeline.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
9 events from the most recent confirmed update back to the earliest known activity.
Microsoft's Security Update Guide published an entry for CVE-2026-4680, a Chromium use-after-free vulnerability in FedCM. This marks public disclosure of the issue through Microsoft's advisory channel.
Microsoft's Security Update Guide published an entry for CVE-2026-4674, a Chromium CSS out-of-bounds read vulnerability. This marks public disclosure of the issue through Microsoft's advisory channel.
Microsoft's Security Update Guide published an entry for CVE-2026-4677, a Chromium WebAudio out-of-bounds read vulnerability. This marks public disclosure of the issue through Microsoft's advisory channel.
Microsoft's Security Update Guide published an entry for CVE-2026-4673, a Chromium WebAudio heap buffer overflow vulnerability. This marks public disclosure of the issue through Microsoft's advisory channel.
Microsoft's Security Update Guide published multiple Chromium-related advisories, including CVE-2026-4441, CVE-2026-4443, CVE-2026-4445, CVE-2026-4448, CVE-2026-4449, CVE-2026-4451, CVE-2026-4454, CVE-2026-4460, and CVE-2026-4461. The issues span use-after-free, heap buffer overflow, insufficient input validation, out-of-bounds read, and inappropriate implementation flaws across components such as WebRTC, ANGLE, Blink, Network, Navigation, Skia, Base, V8, and WebAudio.
Microsoft's Security Update Guide published an entry for CVE-2026-4438, describing an issue where gethostbyaddr and gethostbyaddr_r can return invalid DNS hostnames. This marks the public disclosure of that vulnerability in Microsoft's advisory system.
Microsoft's Security Update Guide published an entry for CVE-2026-4453, an integer overflow vulnerability in Chromium's Dawn component. This marks public disclosure of the issue through Microsoft's advisory channel.
Microsoft's Security Update Guide published an entry for CVE-2026-4459, a Chromium WebAudio out-of-bounds read and write vulnerability. This marks public disclosure of the issue through Microsoft's advisory channel.
Microsoft's Security Update Guide published entries for CVE-2025-71267, an NTFS3 infinite-loop issue triggered by a zero-sized ATTR_LIST, and CVE-2026-23233, an f2fs swapfile block-mapping flaw. These advisories indicate public disclosure of the vulnerabilities through Microsoft's update channel.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
18 references tracked. Mallory keeps watching after this page renders.
msrc.microsoft.com
Open sourcemsrc.microsoft.com
Open sourcemsrc.microsoft.com
Open sourcemsrc.microsoft.com
Open sourcemsrc.microsoft.com
Open sourcemsrc.microsoft.com
Open sourcemsrc.microsoft.com
Open sourcemsrc.microsoft.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.