Microsoft added CVE-2026-9120 to its Security Update Guide as a Chromium flaw caused by a use-after-free in WebRTC, extending a pattern of browser-component memory-safety issues that have repeatedly affected Microsoft products built on Chromium. Related Microsoft advisories previously tracked similar upstream Chromium bugs including CVE-2022-2294 (heap buffer overflow in WebRTC), CVE-2022-2008 (out-of-bounds memory access in WebGL), CVE-2021-4066 (integer underflow in ANGLE), and CVE-2025-5419 (out-of-bounds read/write in V8).
The broader set of Microsoft Security Update Guide entries also shows the company continuing to catalog third-party and legacy-component vulnerabilities that can lead to severe impact, including OpenSSL CVE-2022-3602 affecting X.509 certificate verification and older Jet Database Engine remote code execution flaws such as CVE-2019-0577, CVE-2019-0579, and CVE-2020-0995. Together, the advisories highlight Microsoft's ongoing publication of high-risk memory-corruption and code-execution issues across browser, cryptographic, and database components that defenders should track for patching and exposure assessment.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
9 events from the most recent confirmed update back to the earliest known activity.
Microsoft published a Security Update Guide entry for CVE-2026-9120, a Chromium use-after-free vulnerability in WebRTC.
Microsoft published a Security Update Guide entry for CVE-2025-5419, a Chromium out-of-bounds read and write vulnerability in V8.
Microsoft published guidance for CVE-2022-3602, an OpenSSL X.509 certificate verification buffer overrun vulnerability.
Microsoft published a Security Update Guide entry for CVE-2022-2008, a Chromium out-of-bounds memory access vulnerability in WebGL.
Microsoft published a Security Update Guide entry for CVE-2022-2294, a Chromium heap buffer overflow in WebRTC.
Microsoft published guidance for CVE-2021-4066, a Chromium vulnerability described as an integer underflow in ANGLE.
Microsoft released a Security Update Guide entry for CVE-2020-0995, a Jet Database Engine remote code execution vulnerability.
Microsoft released a Security Update Guide entry for CVE-2019-0579, another Jet Database Engine remote code execution vulnerability.
Microsoft released a Security Update Guide entry for CVE-2019-0577, a Jet Database Engine remote code execution vulnerability.
9 references tracked. Mallory keeps watching after this page renders.
msrc.microsoft.com
Open sourcemsrc.microsoft.com
Open sourcemsrc.microsoft.com
Open sourcemsrc.microsoft.com
Open sourcemsrc.microsoft.com
Open sourceportal.msrc.microsoft.com
Open sourcemsrc.microsoft.com
Open sourcemsrc.microsoft.com
Open sourcemsrc.microsoft.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.