VYPR
Vypr IntelligenceAI-generatedJul 3, 2026· 25 CVEs

Google Chrome: 25 Vulnerabilities Including Critical Flaws Disclosed Together

Google Chrome: 25 vulnerabilities disclosed on July 3, 2026, patched in version 150.0.7871.46, with critical flaws in ANGLE and Skia.

Key findings

  • 25 vulnerabilities disclosed on July 3, 2026, for Google Chrome, all fixed in version 150.0.7871.46.
  • Flaws span multiple components including V8, ANGLE, Dawn, Skia, and Tint, with severities ranging from Low to Critical.
  • Critical vulnerabilities include use-after-free bugs in ANGLE and Skia, posing sandbox escape risks.
  • High-severity issues also frequently involve sandbox escape potential, particularly in ANGLE and Skia.
  • Attack vectors often involve crafted HTML pages or malicious extensions, leading to memory corruption or information disclosure.

On July 3, 2026, a significant batch of 25 vulnerabilities was disclosed for Google Chrome, all patched in version 150.0.7871.46. These vulnerabilities, affecting various components including V8, ANGLE, Dawn, Skia, and Tint, range in severity from Low to Critical. The disclosures highlight potential risks such as use-after-free, out-of-bounds reads and writes, uninitialized use, type confusion, and insufficient input validation. Many of these flaws could allow remote attackers to exploit heap corruption, perform sandbox escapes, or execute arbitrary code within a sandbox, often by luring users to crafted HTML pages or through malicious extensions.

Several vulnerabilities fall into distinct categories based on the affected component:

V8 JavaScript Engine:

  • CVE-2026-14394, CVE-2026-14426: Use-after-free vulnerabilities, with CVE-2026-14426 specifically allowing arbitrary code execution within a sandbox under certain UI interaction conditions.
  • CVE-2026-14406: An out-of-bounds read that could lead to the disclosure of sensitive process memory via a crafted Chrome Extension.
  • CVE-2026-14395, CVE-2026-14405: Out-of-bounds write and uninitialized use flaws, respectively, with the potential for arbitrary code execution inside a sandbox.
  • CVE-2026-14383: An "inappropriate implementation" that could allow arbitrary code execution within a sandbox.

ANGLE (Almost Native Graphics Layer Engine):

Dawn Graphics Engine:

Skia Graphics Library:

Tint (SPIR-V Compiler):

  • CVE-2026-14422: Out-of-bounds read and write vulnerabilities that could permit out-of-bounds memory access.
  • CVE-2026-14423: A type confusion vulnerability that could lead to a sandbox escape.

The batch includes three critical vulnerabilities (CVE-2026-14417, CVE-2026-14419, CVE-2026-14398), all related to use-after-free bugs in ANGLE and Skia, posing the most severe risk of sandbox escape. Additionally, there are six high-severity flaws, primarily in ANGLE and Skia, also with sandbox escape potential.

All disclosed vulnerabilities were addressed in Google Chrome version 150.0.7871.46. Users are strongly advised to update to this version or later to mitigate the risks associated with these security flaws. The consistent patching across multiple components indicates a coordinated security update by Google.

This coordinated disclosure of numerous vulnerabilities underscores the importance of timely patching for web browsers, as flaws in rendering engines and JavaScript V8 can have far-reaching implications for user security and data privacy. Users should ensure their Chrome installations are up-to-date to benefit from these security fixes. ,cve_ids=[

AI-written article. Grounded in 25 CVE records listed below.