Google Chrome: 25 Low-Severity Vulnerabilities Disclosed June 5th
Google Chrome saw a batch of 25 low-severity vulnerabilities disclosed on June 5th, 2026, affecting various components across desktop and mobile platforms.
Key findings
- 25 low-severity vulnerabilities disclosed for Google Chrome on June 5th, 2026.
- All issues patched in Chrome version 149.0.7827.53.
- Multiple 'use after free' bugs found in PDFium component.
- Vulnerabilities affect various components including History, Passwords, and WebView.
- Issues span desktop and mobile (iOS, Android) versions of Chrome.
On June 5th, 2026, Google disclosed a significant batch of 25 vulnerabilities affecting Google Chrome. All of these vulnerabilities were rated as low severity by Chromium security standards and were patched in Chrome version 149.0.7827.53. The disclosures highlight ongoing security efforts across various components of the widely used web browser.
The vulnerabilities span a range of components and exploit types. Notably, multiple 'use after free' vulnerabilities were identified within the PDFium component, including CVE-2026-11307, CVE-2026-11306, CVE-2026-11305, and CVE-2026-11303. These flaws could allow remote attackers to execute arbitrary code within a sandbox or exploit heap corruption via crafted PDF files. Another 'use after free' vulnerability, CVE-2026-11297, was found in the Input component, potentially allowing for a sandbox escape.
Other common vulnerability classes include insufficient policy enforcement and inappropriate implementations. For instance, CVE-2026-11309, CVE-2026-11300, CVE-2026-11294, and CVE-2026-11286, all related to insufficient policy enforcement or inappropriate implementation in areas like History, Passwords, and Wallet, could lead to UI spoofing. Similarly, CVE-2026-11302 and CVE-2026-11298, affecting Chrome for iOS, allowed for bypassing discretionary access control and same-origin policy, respectively.
Several vulnerabilities were also found in platform-specific components. On Android, CVE-2026-11297 in Reader Mode, CVE-2026-11291 in Android Autofill, and CVE-2026-11290 in WebView presented risks ranging from navigation restriction bypass to denial of service. On iOS, CVE-2026-11302 and CVE-2026-11298 were disclosed, alongside CVE-2026-11285 which also allowed for UI spoofing.
Other notable issues include an integer overflow in Fonts (CVE-2026-11299) leading to sensitive information disclosure, an inappropriate implementation in LiveCaption (CVE-2026-11301) potentially leading to out-of-bounds memory access, and side-channel information leakage in Paint (CVE-2026-11289) allowing for cross-origin data leaks. Insufficient policy enforcement in CSS (CVE-2026-11288) also contributed to cross-origin data leakage.
The consistent patching across all these issues in version 149.0.7827.53 indicates a coordinated security update from Google. While none of these vulnerabilities were rated as high or critical, their sheer number underscores the continuous need for vigilance and timely updates for all users. The diverse nature of the affected components, from core rendering engines like PDFium and Blink to specific features like Autofill and Wallet, highlights the complexity of securing a modern web browser.
Users are strongly advised to ensure their Google Chrome installations are updated to version 149.0.7827.53 or later to mitigate these security risks. The consistent disclosure of low-severity bugs, even in large numbers, is a testament to Google's ongoing commitment to identifying and addressing potential security weaknesses within its products.