Google Chrome: 25 Vulnerabilities Including Critical Flaws Disclosed Together
Google Chrome: 25 vulnerabilities disclosed on July 3, 2026, patched in version 150.0.7871.46, with critical flaws in ANGLE and Skia.

Key findings
- 25 vulnerabilities disclosed on July 3, 2026, for Google Chrome, all fixed in version 150.0.7871.46.
- Flaws span multiple components including V8, ANGLE, Dawn, Skia, and Tint, with severities ranging from Low to Critical.
- Critical vulnerabilities include use-after-free bugs in ANGLE and Skia, posing sandbox escape risks.
- High-severity issues also frequently involve sandbox escape potential, particularly in ANGLE and Skia.
- Attack vectors often involve crafted HTML pages or malicious extensions, leading to memory corruption or information disclosure.
On July 3, 2026, a significant batch of 25 vulnerabilities was disclosed for Google Chrome, all patched in version 150.0.7871.46. These vulnerabilities, affecting various components including V8, ANGLE, Dawn, Skia, and Tint, range in severity from Low to Critical. The disclosures highlight potential risks such as use-after-free, out-of-bounds reads and writes, uninitialized use, type confusion, and insufficient input validation. Many of these flaws could allow remote attackers to exploit heap corruption, perform sandbox escapes, or execute arbitrary code within a sandbox, often by luring users to crafted HTML pages or through malicious extensions.
Several vulnerabilities fall into distinct categories based on the affected component:
V8 JavaScript Engine:
- CVE-2026-14394, CVE-2026-14426: Use-after-free vulnerabilities, with CVE-2026-14426 specifically allowing arbitrary code execution within a sandbox under certain UI interaction conditions.
- CVE-2026-14406: An out-of-bounds read that could lead to the disclosure of sensitive process memory via a crafted Chrome Extension.
- CVE-2026-14395, CVE-2026-14405: Out-of-bounds write and uninitialized use flaws, respectively, with the potential for arbitrary code execution inside a sandbox.
- CVE-2026-14383: An "inappropriate implementation" that could allow arbitrary code execution within a sandbox.
ANGLE (Almost Native Graphics Layer Engine):
- CVE-2026-14400, CVE-2026-14385: Out-of-bounds write and heap buffer overflow vulnerabilities, respectively, potentially leading to out-of-bounds memory access or sandbox escapes.
- CVE-2026-14386, CVE-2026-14396: Out-of-bounds read vulnerabilities, with CVE-2026-14396 specifically noted for its potential to leak cross-origin data.
- CVE-2026-14390, CVE-2026-14398: Use-after-free vulnerabilities that could allow for sandbox escapes.
- CVE-2026-14382, CVE-2026-14412: Insufficient validation of untrusted input, potentially leading to sandbox escapes.
Dawn Graphics Engine:
- CVE-2026-14408, CVE-2026-14399, CVE-2026-14421: Uninitialized use flaws, with CVE-2026-14421 specifically noted for ChromeOS. These could lead to the disclosure of sensitive information.
- CVE-2026-14417: A use-after-free vulnerability that could allow a remote attacker to perform a sandbox escape.
Skia Graphics Library:
- CVE-2026-14429, CVE-2026-14389: Insufficient validation of untrusted input and integer overflow vulnerabilities, respectively, with CVE-2026-14389 potentially allowing a sandbox escape.
- CVE-2026-14387: An integer overflow that could lead to a sandbox escape.
- CVE-2026-14419: A use-after-free vulnerability that could allow for a sandbox escape.
Tint (SPIR-V Compiler):
- CVE-2026-14422: Out-of-bounds read and write vulnerabilities that could permit out-of-bounds memory access.
- CVE-2026-14423: A type confusion vulnerability that could lead to a sandbox escape.
The batch includes three critical vulnerabilities (CVE-2026-14417, CVE-2026-14419, CVE-2026-14398), all related to use-after-free bugs in ANGLE and Skia, posing the most severe risk of sandbox escape. Additionally, there are six high-severity flaws, primarily in ANGLE and Skia, also with sandbox escape potential.
All disclosed vulnerabilities were addressed in Google Chrome version 150.0.7871.46. Users are strongly advised to update to this version or later to mitigate the risks associated with these security flaws. The consistent patching across multiple components indicates a coordinated security update by Google.
This coordinated disclosure of numerous vulnerabilities underscores the importance of timely patching for web browsers, as flaws in rendering engines and JavaScript V8 can have far-reaching implications for user security and data privacy. Users should ensure their Chrome installations are up-to-date to benefit from these security fixes. ,cve_ids=[