Google Chrome 149 fixes multiple high-severity memory corruption flaws
Google released a Stable Channel security update for Chrome Desktop, fixing a broad set of vulnerabilities in versions prior to 149.0.7827.53/54 on Windows and Mac and 149.0.7827.53 on Linux, while related records also show Chrome on Android was affected before 149.0.7827.53. The Canadian Centre for Cyber Security urged users and administrators to apply the update, and public CVE entries tie the release to numerous flaws across V8, Blink, WebRTC, Compositing, Dawn, DevTools, GPU, PDFium, Extensions, Media, TabStrip, Cast, LiveCaption, Google Lens, CSS, and USB. Many of the issues are memory-safety bugs such as use-after-free, out-of-bounds write/read, integer overflow, and type confusion, with several carrying CVSS vectors indicating high impact to confidentiality, integrity, and availability.
The patched vulnerabilities include remote code execution inside Chrome’s sandbox through crafted HTML pages or malicious PDF files, information disclosure from process memory, UI spoofing, navigation restriction bypass, privilege escalation on adjacent networks, and multiple paths that could aid sandbox escape after renderer compromise. Notable examples include CVE-2026-11188 in Android USB that could potentially enable sandbox escape, CVE-2026-11256 in the GPU component, CVE-2026-11173 in V8, CVE-2026-11118 and CVE-2026-11074 in WebRTC, and several PDFium bugs including CVE-2026-11303, CVE-2026-11305, and CVE-2026-11307. Visible metadata from one additional report also points to CVE-2026-10881, linked to Chrome 149, the ANGLE layer, and memory corruption involving GPU buffer overflow and use-after-free.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
26 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-12028 disclosed for Chrome GPU on Android
On June 12, 2026, CVE-2026-12028 was documented as a high-severity use-after-free flaw in Chrome's GPU component on Android affecting versions prior to 149.0.7827.115. The vulnerability could allow a remote attacker, after compromising the renderer process via a crafted HTML page, to potentially escape Chrome's sandbox; the record was updated with CWE-416 and CVSS v3.1 details.
CVE-2026-12022 disclosed for Chrome Safe Browsing on Mac
On June 12, 2026, CVE-2026-12022 was documented as a high-severity race condition in Chrome's Safe Browsing component on Mac affecting versions prior to 149.0.7827.115. The flaw could allow a remote attacker, after compromising the renderer process, to potentially escape Chrome's sandbox via a malicious file; the record includes CWE-362 and CVSS v3.1 details.
Google releases Chrome 149.0.7827.114/.115 desktop security update
Google shipped a new Stable Channel desktop update for Chrome 149, releasing version 149.0.7827.114/.115 for Windows and Mac and 149.0.7827.114 for Linux. The update fixes 28 security flaws, including five critical vulnerabilities affecting Core, DigitalCredentials, WebMIDI, Accessibility, and GPU components.
CVE-2026-12023 disclosed for Chrome GPU on Mac
On June 11, 2026, CVE-2026-12023 was recorded as a high-severity use-after-free flaw in Chrome's GPU component on Mac affecting versions prior to 149.0.7827.115. The vulnerability could allow a remote attacker, after compromising the renderer process via a crafted HTML page, to potentially escape Chrome's sandbox; the record was later updated with CWE-416 and CVSS v3.1 details.
CVE-2026-12030 disclosed for Chrome GPU on Android
On June 11, 2026, CVE-2026-12030 was documented as a high-severity out-of-bounds write flaw in Chrome's GPU component on Android affecting versions prior to 149.0.7827.115. The vulnerability could allow a remote attacker, after compromising the renderer process via a crafted HTML page, to potentially escape Chrome's sandbox; the record was later updated with CWE-122 and CVSS v3.1 details.
CVE-2026-12019 disclosed for Chrome Codecs on Linux and ChromeOS
On June 11, 2026, CVE-2026-12019 was documented as a high-severity heap buffer overflow in Chrome's Codecs component affecting Linux and ChromeOS versions prior to 149.0.7827.115. The flaw could allow a remote attacker, after compromising the renderer process via a crafted HTML page, to potentially escape Chrome's sandbox; the record was later updated with CWE-787 and CVSS v3.1 details.
CVE-2026-11700 disclosed for Chrome Tracing component
On June 9, 2026, references and metadata were added for CVE-2026-11700, a high-severity use-after-free flaw in Chrome's Tracing component affecting versions prior to 149.0.7827.103. The vulnerability could allow a remote attacker, after compromising the renderer process via a crafted HTML page, to potentially escape the sandbox; the record includes CWE-416 and CVSS v3.1 details.
CVE-2026-11663 disclosed for Chrome Skia component
On June 9, 2026, references were added for CVE-2026-11663, a high-severity use-after-free flaw in Chrome's Skia component affecting versions prior to 149.0.7827.103. The vulnerability could allow a remote attacker, after compromising the renderer process via a crafted HTML page, to potentially escape Chrome's sandbox; the record includes CWE-416 and CVSS v3.1 details.
CVE-2026-11652 disclosed for Chrome Extensions
On June 9, 2026, references and metadata were added for CVE-2026-11652, a high-severity use-after-free flaw in Chrome's Extensions component affecting versions prior to 149.0.7827.103. The vulnerability could allow a remote attacker, after compromising the renderer process via a crafted HTML page, to potentially escape the sandbox; the record includes CWE-416 and CVSS v3.1 details.
CVE-2026-11662 disclosed for Chrome Bindings component
On June 9, 2026, references were added for CVE-2026-11662, a high-severity type confusion flaw in Chrome's Bindings component affecting versions prior to 149.0.7827.103. The issue can be triggered by a crafted HTML page and may allow remote attackers to execute arbitrary code inside the browser sandbox; the record was later updated with CWE-843 and CVSS v3.1 details.
CVE-2026-11687 disclosed for Chrome Dawn on Mac
On June 9, 2026, references were added for CVE-2026-11687, a high-severity use-after-free flaw in Chrome's Dawn component on Mac affecting versions prior to 149.0.7827.103. The issue could allow a remote attacker to trigger heap corruption via a crafted HTML page, and the record includes CWE-416 and CVSS v3.1 details.
CVE-2026-11698 disclosed for Chrome Bluetooth on Mac
On June 9, 2026, references were added for CVE-2026-11698, a high-severity use-after-free flaw in Chrome's Bluetooth component on Mac affecting versions prior to 149.0.7827.103. The issue could allow a remote attacker to trigger heap corruption via a crafted HTML page, and the record includes CWE-416 and CVSS v3.1 details.
CVE-2026-11651 disclosed for Chrome Network component
On June 9, 2026, references were added for CVE-2026-11651, a high-severity use-after-free flaw in Chrome's Network component affecting versions prior to 149.0.7827.103. The issue can be triggered by a crafted HTML page and may allow remote attackers to execute arbitrary code inside Chrome's sandbox; the record includes CWE-416 and CVSS v3.1 details.
CVE-2026-11647 disclosed for Chrome Printing on Android
On June 9, 2026, references were added for CVE-2026-11647, a high-severity use-after-free flaw in Chrome's Printing component on Android affecting versions prior to 149.0.7827.103. The vulnerability could allow a remote attacker, after compromising the renderer process via a crafted HTML page, to potentially escape the sandbox; the record includes CWE-416 and CVSS v3.1 details.
CVE-2026-11674 disclosed for Chrome Guest View
On June 9, 2026, references were added for CVE-2026-11674, a high-severity use-after-free flaw in Chrome's Guest View component affecting versions prior to 149.0.7827.103. The issue can be triggered by a crafted HTML page and may allow remote attackers to execute arbitrary code inside Chrome's sandbox; the record includes CWE-416 and CVSS v3.1 details.
CVE-2026-11680 disclosed for Chrome Media on Windows
On June 9, 2026, references were added for CVE-2026-11680, a high-severity use-after-free flaw in Chrome's Media component on Windows affecting versions prior to 149.0.7827.103. The issue can be triggered by a crafted HTML page and may allow remote attackers to execute arbitrary code inside Chrome's sandbox; the record was updated with CWE-416 and CVSS v3.1 details.
CVE-2026-11657 disclosed for Chrome Payments on Mac
On June 9, 2026, references were added for CVE-2026-11657, a high-severity use-after-free flaw in Chrome's Payments component on Mac affecting versions prior to 149.0.7827.103. The issue can be triggered by a crafted HTML page and may allow remote attackers to execute arbitrary code inside Chrome's sandbox.
CVE-2026-11673 disclosed for Chrome InterestGroups component
On June 9, 2026, references were added for CVE-2026-11673, a high-severity use-after-free flaw in Chrome's InterestGroups component affecting versions prior to 149.0.7827.103. The issue can be triggered by a crafted HTML page and may allow remote attackers to execute arbitrary code inside the browser sandbox.
CVE-2026-11643 disclosed for Chrome Proxy component
On June 9, 2026, references were added for CVE-2026-11643, a use-after-free flaw in Chrome's Proxy component affecting versions prior to 149.0.7827.103. The issue could allow remote attackers to execute arbitrary code via malicious network traffic, and the record was later enriched with CWE-416 and CVSS v3.1 details.
CVE-2026-11688 disclosed for Chrome SVG implementation
On June 9, 2026, references were added for CVE-2026-11688, a high-severity inappropriate implementation flaw in Chrome's SVG component affecting versions prior to 149.0.7827.103. The issue can be triggered by a crafted HTML page and may allow arbitrary code execution inside Chrome's sandbox.
CVE-2026-11683 disclosed for Chrome WebCodecs
On June 9, 2026, references were added for CVE-2026-11683, a high-severity use-after-free flaw in Chrome WebCodecs affecting versions prior to 149.0.7827.103. The issue can be triggered by a crafted HTML page and may allow remote code execution inside Chrome's sandbox.
Chrome CVE records are enriched with CVSS and CWE metadata
On June 5, 2026, many of the Chrome CVE entries were updated with CVSS v3.1 vectors, CWE mappings, descriptions, and references to the Chrome Releases blog and Chromium issue tracker. This added technical detail for both the June 4 and June 5 vulnerability records.
Additional Chrome CVE records are received
On June 5, 2026, Google received additional CVE records for Chrome vulnerabilities affecting DevTools, GPU, PDFium, TabStrip, LiveCaption, Cast, and other components. These newly received entries expanded the set of flaws associated with the Chrome 149.0.7827.53 update cycle.
Google receives initial batch of Chrome CVE records
On June 4, 2026, Google received and recorded an initial batch of Chrome vulnerability entries affecting components including Dawn, V8, Blink, WebRTC, Media, CSS, Extensions, Compositing, and Android USB. These records covered flaws fixed in versions prior to Chrome 149.0.7827.53.
Canadian Centre for Cyber Security issues Chrome advisory
On June 3, 2026, the Canadian Centre for Cyber Security published advisory AV26-544, urging users and administrators to review Google's Chrome advisory and apply updates when available. The notice highlighted affected desktop versions on Windows, Mac, and Linux.
Google releases Chrome 149.0.7827.53/54 desktop security update
Google published a security advisory on June 2, 2026 for Stable Channel Chrome for Desktop, fixing vulnerabilities in versions prior to 149.0.7827.53/54 on Windows and Mac and prior to 149.0.7827.53 on Linux. The advisory is referenced across multiple CVE records tied to this stable channel update.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
49 references tracked. Mallory keeps watching after this page renders.
Google Patches 28 Chrome Vulnerabilities that Allow Attackers to Execute Malicious Code
cybersecuritynews.com
Open sourceChrome 149 Update Fixes 28 Security Flaws
securityonline.info
Open sourceCVE-2026-12019 - Google Chrome Codecs Heap Buffer Overflow Sandbox Escape
cvefeed.io
Open sourceCVE-2026-12022 - Google Chrome Race Condition Sandbox Escape
cvefeed.io
Open sourceCVE-2026-11077 - Google Chrome Sandbox Arbitrary Code Execution
cvefeed.io
Open sourceCVE-2026-11185 - Google Chrome V8 Use-After-Free
cvefeed.io
Open sourceCVE-2026-11173 - Google Chrome V8 Out-of-Bounds Write
cvefeed.io
Open sourceGoogle Chrome security advisory (AV26-544) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Chrome Desktop Update Fixes 28 Flaws Including Critical Memory Corruption Bugs
Google released a Stable Channel update for Chrome Desktop, upgrading Windows and Mac to **149.0.7827.114/.115** and Linux to **149.0.7827.114**, to address **28 security vulnerabilities** across components including Core, DigitalCredentials, Accessibility, GPU, WebMIDI, Network, DevTools, Extensions, Video, and Views. The release includes **five critical flaws**, notably multiple use-after-free bugs, a heap buffer overflow in GPU, and insufficient validation of untrusted input in Accessibility; Google said technical details will remain restricted until most users are patched or dependent third-party fixes are available. Published CVE records tied to the release highlight several high-severity issues: **`CVE-2026-12013`**, a Chrome Media use-after-free on Windows that could be triggered through a crafted HTML page; **`CVE-2026-12014`**, a Cast use-after-free that could enable a sandbox escape from the local network segment via malicious network traffic; **`CVE-2026-12016`**, a DevTools flaw that could allow sandbox escape after renderer compromise; and **`CVE-2026-12018`**, a Mojo issue that could lead to OS-level privilege escalation on Windows through a malicious file. The Canadian Centre for Cyber Security urged users and administrators running versions prior to the patched builds to review Google’s advisory and apply updates as they become available.
Jun 12, 2026
Google Chrome 148 fixes 127 flaws, including critical Blink and use-after-free bugs
Google has released **Chrome 148** to the stable channel for Windows, macOS, Linux, and Android, patching **127 security vulnerabilities** in one of the browser’s largest security update batches. The release fixes three **Critical** flaws: `CVE-2026-7896`, an integer overflow in **Blink** that could lead to heap corruption via a crafted HTML page, plus `CVE-2026-7897` and `CVE-2026-7898`, two use-after-free bugs affecting **Mobile** and **Chromoting**. Google said no active exploitation had been reported at release, but urged users to update to **148.0.7778.96/97** immediately; Canada’s cyber agency also advised administrators to apply the update for affected desktop versions prior to those builds. The advisory also covers more than two dozen high-severity issues across major Chromium components including **V8, ANGLE, WebRTC, GPU, Skia, UI, DevTools, Printing, Audio, ChromeDriver, and AdFilter**, many involving memory-safety errors such as use-after-free, type confusion, out-of-bounds access, and insufficient validation of untrusted input. Public CVE records tied to the release include `CVE-2026-7987`, `CVE-2026-7988`, `CVE-2026-7991`, `CVE-2026-7992`, `CVE-2026-7995`, `CVE-2026-8000`, `CVE-2026-8001`, `CVE-2026-8002`, `CVE-2026-8016`, and `CVE-2026-8018`, several of which could enable code execution inside Chrome’s sandbox or, in some cases, potential sandbox escape. Google credited internal testing tools such as fuzzers and sanitizers along with external researchers, paid at least **$138,000** in bug bounties, and withheld details for some issues until most users receive fixes; because the bugs affect Chromium, downstream browsers and enterprise Chromium deployments may also need corresponding updates.
May 7, 2026
Google patches 31 Chrome 147 flaws including critical RCE and sandbox escapes
Google released Chrome `147.0.7727.101/.102` for desktop and `147.0.7727.101` for Android to fix a broad set of browser vulnerabilities, with the desktop advisory covering **31 security issues** and multiple **Critical** and **High** severity bugs. The patched set includes remote code execution and memory-corruption flaws such as `CVE-2026-6299` in Prerender, `CVE-2026-6297` in Proxy, `CVE-2026-6300` in Blink CSS, `CVE-2026-6307` and `CVE-2026-6363` in V8, `CVE-2026-6361` in PDFium, and several use-after-free bugs in Video, Forms, FileSystem, Cast, Permissions, and XR components. Google said Android inherits the same security fixes as the corresponding desktop release unless otherwise noted, and affected versions span Chrome builds prior to `147.0.7727.101` on Linux and Android and prior to `147.0.7727.101/.102` on Windows and macOS. Several of the flaws could be used in exploit chains to cross Chrome security boundaries, including sandbox escape paths in GPU, Viz, Dawn WebGPU, Accessibility, Graphite, and Proxy components through `CVE-2026-6314`, `CVE-2026-6309`, `CVE-2026-6310`, `CVE-2026-6311`, `CVE-2026-6304`, and `CVE-2026-6297`. Public technical details for many Chromium issues remain restricted while patches propagate, and no confirmed in-the-wild exploitation was cited for these specific April fixes, though multiple reports note Chrome’s recent zero-day activity and the likelihood of rapid weaponization of memory-safety bugs. The Canadian Centre for Cyber Security urged organizations to review Google’s advisory and apply updates promptly, while downstream Chromium-based browsers may remain exposed until they ship their own patched releases.
Jun 12, 2026