Google Chrome: 25 Low-Severity Vulnerabilities Disclosed Together
Google Chrome saw a batch of 25 low-severity vulnerabilities disclosed on June 4, 2026, impacting various components and features within the browser.
Key findings
- 25 low-severity vulnerabilities in Google Chrome disclosed simultaneously on June 4, 2026.
- Vulnerabilities affect diverse components including Media, Web Bluetooth, and Extensions.
- Potential impacts range from UI spoofing and domain spoofing to sandbox escapes and code execution.
- All issues are addressed in Google Chrome version 149.0.7827.53.
- Specific vulnerabilities noted for impact on macOS, Linux, and Android platforms.
On June 4, 2026, a significant cluster of 25 vulnerabilities affecting Google Chrome was disclosed, all patched in version 149.0.7827.53. While all reported vulnerabilities are categorized with low severity by Chromium's internal metrics, their sheer number and diverse impact areas warrant attention from users and administrators.
The disclosed issues span a wide array of Chrome's functionalities, including media handling, web Bluetooth, compositing, foldable APIs, tab groups, safe browsing, extensions, enterprise features, file input, tab hover cards, preview tabs, web UI, chromoting, network processes, tab strips, pointer lock, navigation, platform integration, and fenced frames. This broad scope suggests a comprehensive review of the browser's security posture.
Several vulnerabilities revolve around insufficient validation of untrusted input or inappropriate implementations within specific components. For instance, CVE-2026-11237 and CVE-2026-11223 highlight issues with input validation in Media and Network components, respectively, potentially leading to UI spoofing or same-origin policy bypasses if an attacker compromises the renderer process. Similarly, CVE-2026-11235 and CVE-2026-11223 point to problems with Foldable APIs and Network components, respectively, which could allow for same-origin policy bypasses.
Other vulnerabilities focus on policy enforcement and UI elements. CVE-2026-11236 and CVE-2026-11233, related to Web Bluetooth and Foldable APIs, respectively, could allow for sandbox escapes or same-origin policy bypasses. UI-related issues include CVE-2026-11232 (TabGroups) and CVE-2026-11228 (File Input), both leading to UI spoofing. Domain spoofing is a concern in CVE-2026-11227 (Tab Hover Cards), CVE-2026-11225 (WebUI), CVE-2026-11222 (Tab Strip), and CVE-2026-11215 (Cronet).
Specific platform impacts were noted for some CVEs. CVE-2026-11231 (Safe Browsing) affects Chrome on Mac, allowing for arbitrary code execution via a malicious file. CVE-2026-11224 (Chromoting) impacts Chrome on Linux, enabling arbitrary code execution through malicious network traffic. CVE-2026-11218 (PlatformIntegration) affects Chrome on Windows, potentially leading to arbitrary code execution via a malicious file after specific user interaction. Furthermore, CVE-2026-11226 (PreviewTab) on Android and CVE-2026-11215 (Cronet) on Android also present specific platform considerations.
While no specific threat actors or in-the-wild exploitation were mentioned in the disclosure for this batch, the nature of these vulnerabilities, particularly those allowing for code execution or sandbox escapes, underscores the importance of prompt patching. The fix for all these issues was included in Google Chrome version 149.0.7827.53.
Users are strongly advised to ensure their Google Chrome browsers are updated to version 149.0.7827.53 or later to mitigate these vulnerabilities. The broad range of affected components means that a wide variety of user interactions could potentially trigger these issues, making timely updates crucial for maintaining a secure browsing experience.