Chromium: 12 Vulnerabilities Disclosed Together, Including Critical Sandbox Escapes
Key findings • Twelve Chromium vulnerabilities disclosed simultaneously on May 28, 2026. • Three critical vulnerabilities (CVSS 9.6) allow for sandbox escapes. • Multiple use-after-free b…
Key findings
- Twelve Chromium vulnerabilities disclosed simultaneously on May 28, 2026.
- Three critical vulnerabilities (CVSS 9.6) allow for sandbox escapes.
- Multiple use-after-free bugs and out-of-bounds writes were patched.
- Vulnerabilities affect core components like GPU, Media, WebGL, and DOM.
- Update to Chrome 148.0.7778.216 is available to patch these flaws.
- No active exploitation reported at the time of disclosure.
On May 28, 2026, Google released a significant update for Chromium, addressing a batch of 12 vulnerabilities disclosed simultaneously. The update, version 148.0.7778.216, targets critical security flaws, including several that could allow attackers to escape Chrome's sandbox, a crucial security boundary designed to isolate web content. This coordinated disclosure highlights ongoing efforts to secure the browser against sophisticated attacks.
The vulnerabilities span various components of the browser, with a notable concentration in areas related to media handling, graphics processing, and user interface elements. Three critical vulnerabilities, CVE-2026-9967, CVE-2026-9918, and CVE-2026-9876, all rated at CVSSv3 9.6, specifically mention the potential for sandbox escape. CVE-2026-9967 and CVE-2026-9906 involve out-of-bounds writes in the GPU process, while CVE-2026-9918 relates to an inappropriate implementation in Tint, and CVE-2026-9876 is a use-after-free vulnerability in WebGL on Android. These types of flaws are particularly concerning as they can lead to arbitrary code execution within the browser's sandbox.
Several other high-severity vulnerabilities were also patched, including use-after-free bugs in TabStrip (CVE-2026-9954) and DOM (CVE-2026-9897), and an out-of-bounds write in the GPU (CVE-2026-9906). These issues could allow remote attackers to exploit heap corruption or execute arbitrary code within the sandbox, often requiring a user to interact with a crafted HTML page or specific UI gestures. The disclosure also included vulnerabilities related to data leakage, such as CVE-2026-9991 and CVE-2026-9907, which allowed for cross-origin data leaks. Additionally, CVE-2026-9979, an insufficient validation of untrusted input, could enable attackers to bypass site isolation.
While the provided information does not indicate active exploitation of these specific CVEs at the time of disclosure, the nature of the vulnerabilities, particularly sandbox escapes, makes them high-priority targets for attackers. Security researchers noted that many of the critical flaws patched in this update were use-after-free bugs, a common class of memory safety issues that can be difficult to exploit but devastating when successful. The coordinated disclosure strategy, where detailed bug information is restricted until most users have updated, aims to mitigate the risk of widespread exploitation.
The update to version 148.0.7778.216 addresses all 12 disclosed vulnerabilities. Users are strongly advised to ensure their Chrome browsers are updated to the latest version to protect against these newly patched security weaknesses. The Chromium project continues to rely on both internal security teams and external researchers, through bug bounty programs, to identify and fix these critical issues, maintaining the security and integrity of the browser for millions of users worldwide.