Google Chrome: 25 Vulnerabilities Disclosed on June 9, 2026
Google Chrome saw a significant security update on June 9, 2026, with 25 vulnerabilities patched, including 23 rated High severity.
Key findings
- 25 vulnerabilities in Google Chrome were disclosed simultaneously on June 9, 2026.
- 23 of the disclosed vulnerabilities were rated as High severity.
- Common vulnerability types include 'Use after free' and 'Insufficient validation'.
- The update addresses issues across various Chrome components, including Bluetooth, Media, and Network.
- All vulnerabilities are fixed in Chrome version 149.0.7827.103.
On June 9, 2026, Google released a substantial security update for its Chrome browser, addressing a total of 25 vulnerabilities. The batch of disclosures, all published on the same day, included a significant number of high-severity flaws, highlighting the ongoing challenges in securing complex web browsers.
The vulnerabilities span various components of Chrome, with a notable concentration of 'Use after free' bugs, which can lead to heap corruption and potentially arbitrary code execution. These include CVE-2026-11700, CVE-2026-11699, CVE-2026-11698, CVE-2026-11694, CVE-2026-11692, CVE-2026-11683, CVE-2026-11681, CVE-2026-11680, CVE-2026-11679, and CVE-2026-11677.
Several flaws related to insufficient validation of untrusted input or inappropriate implementation were also disclosed. These include CVE-2026-11701 (UI spoofing), CVE-2026-11697 (cross-origin data leak), CVE-2026-11695 (cross-origin data leak), CVE-2026-11693 (site isolation bypass), CVE-2026-11691 (cross-origin data leak), CVE-2026-11689 (site isolation bypass), CVE-2026-11688 (arbitrary code execution), CVE-2026-11685 (cross-origin data leak), CVE-2026-11684 (cross-origin data leak), and CVE-2026-11682 (sandbox escape).
Other critical vulnerabilities addressed in this batch include an uninitialized use in Video on Windows (CVE-2026-11696) allowing sensitive information disclosure, an out-of-bounds read and write in Media on Mac (CVE-2026-11690) enabling arbitrary code execution, and an integer overflow in libyuv (CVE-2026-11678) also leading to information disclosure. A race condition in the Network component on Mac (CVE-2026-11677) could also lead to a sandbox escape.
The vast majority of these vulnerabilities, specifically 23 out of 25, were classified with a Chromium security severity of 'High'. Only CVE-2026-11701 was rated 'Medium'. The common fix across all these issues was the update to Chrome version 149.0.7827.103. This unified patching across such a large number of diverse vulnerabilities suggests a significant internal review and remediation effort by the Chromium security team.
While no specific threat actors or in-the-wild exploitation details were provided in the initial disclosures for this batch, the sheer volume and severity of the vulnerabilities underscore the importance of prompt patching for all users. The ability for remote attackers to perform UI spoofing, leak sensitive data, bypass security features like site isolation, or execute arbitrary code within the sandbox highlights the potential impact if these flaws were to be exploited.
Users are strongly advised to ensure their Google Chrome browsers are updated to version 149.0.7827.103 or later to mitigate these risks. The consistent patching across a wide array of components indicates a proactive approach by Google to address security concerns within its flagship browser. Ongoing vigilance and timely updates remain crucial for maintaining a secure browsing experience.