VYPR
Vypr IntelligenceAI-generatedJun 17, 2026· 25 CVEs

Google Chrome: 25 High-Severity CVEs Patched in June 2026 Update

Google patches 25 high-severity Chrome vulnerabilities in a single update, including sandbox escapes, RCE in WebRTC, and cross-origin data leaks across Windows, Mac, Linux, and Android.

Key findings

  • 25 high-severity CVEs disclosed together on June 17, 2026, all fixed in Chrome 149.0.7827.155
  • Multiple sandbox escape chains: renderer compromise can lead to full system access via UAF and race bugs
  • WebRTC heap buffer overflows (CVE-2026-12466, CVE-2026-12447) enable arbitrary code execution
  • Cross-origin data leaks and UXSS bugs affect GPU, Passwords, Serial, and Views components
  • Site isolation bypasses found in Extensions and File System Access, one via crafted PDF files
  • Platform-specific flaws patched on Windows (Chromoting, WebRTC), Mac (Updater, Safe Browsing), and Android (GPU, WebView, Downloads)

Google shipped a 25-CVE security update for Chrome on June 17, 2026, fixing a cluster of high-severity vulnerabilities spanning sandbox escapes, arbitrary code execution, cross-origin data leaks, and privilege escalation across Windows, macOS, Linux, and Android. The update, which brings Chrome Stable to version 149.0.7827.155 (149.0.7827.156 on Windows and macOS), addresses bugs in GPU, WebRTC, Extensions, Media, Safe Browsing, and a dozen other components. Several of the flaws share a dangerous attack chain pattern: an attacker who first compromises the renderer process can then exploit a second vulnerability to break out of the browser's sandbox or bypass site isolation.

A significant subset of the batch targets sandbox escape via use-after-free and race-condition bugs. CVE-2026-12467 (Use after free in Extensions), CVE-2026-12464 (Use after free in Browser), CVE-2026-12465 (Object lifecycle issue in Metrics), CVE-2026-12451 (Use after free in DigitalCredentials), and CVE-2026-12468 (Race in Updater on Mac) all allow a remote attacker who has already compromised the renderer process to potentially escape the sandbox. CVE-2026-12454 (Race in Safe Browsing on Mac) and CVE-2026-12449 (Use after free in Chromoting on Windows) add platform-specific sandbox escape and local privilege escalation vectors respectively.

Remote code execution (RCE) bugs are concentrated in WebRTC and Media components. CVE-2026-12466 is a heap buffer overflow in WebRTC on Windows that allows arbitrary code execution via a crafted HTML page. CVE-2026-12447 is another heap buffer overflow in WebRTC, this time allowing code execution inside the sandbox. CVE-2026-12462 (Use after free in Media) also enables arbitrary code execution within the sandbox. CVE-2026-12455 (Use after free in Tab Strip) and CVE-2026-12452 (Use after free in Downloads on Android) could lead to heap corruption.

Cross-origin data leaks and UXSS (Universal XSS) bugs affect multiple subsystems. CVE-2026-12469 (Uninitialized Use in GPU on Android) and CVE-2026-12446 (Inappropriate implementation in Passwords) both allow leaking cross-origin data. CVE-2026-12458 (Inappropriate implementation in Passwords) requires specific UI gestures to leak data across origins. CVE-2026-12463 (Inappropriate implementation in Views on Linux) and CVE-2026-12459 (Inappropriate implementation in Serial) enable injection of arbitrary scripts or HTML (UXSS). CVE-2026-12450 (Inappropriate implementation in Media) can leak sensitive information from process memory, and CVE-2026-12461 (Out of bounds read in WebRTC on Windows) does the same.

Site isolation and same-origin policy bypasses were found in Extensions, File System Access, and Input. CVE-2026-12457 (Inappropriate implementation in Extensions) and CVE-2026-12460 (Insufficient policy enforcement in File System Access) both allow a compromised renderer to bypass site isolation — the latter via a crafted PDF file. CVE-2026-12453 (Insufficient validation of untrusted input in Input) bypasses same-origin policy. CVE-2026-12456 (Inappropriate implementation in Extensions) allows a malicious extension to bypass same-origin policy, and CVE-2026-12445 (Use after free in Extensions) enables heap corruption via a malicious extension.

Additional bugs include CVE-2026-12448 (Inappropriate implementation in WebView on Android) enabling privilege escalation, and CVE-2026-12463 (UXSS in Views on Linux). All 25 CVEs are rated High severity by the Chromium team. Google has restricted detailed technical information for some of the bugs until the majority of users have installed the update, a standard practice to limit exposure during the patch rollout window Cyber Security News.

The update is rolling out gradually across Chrome Stable channels. Users on Windows, macOS, and Linux should update to version 149.0.7827.155 (or .156 on desktop platforms) as soon as it becomes available. Android users should update via the Google Play Store. With multiple sandbox escape chains and RCE vectors addressed in a single release, this batch underscores the importance of keeping Chrome fully up to date — particularly for users on Windows and Android, where several platform-specific flaws were patched.

AI-written article. Grounded in 25 CVE records listed below.