Chromium: 23 High-Severity Vulnerabilities Disclosed Together on June 9, 2026
Key findings • 23 vulnerabilities in Google Chrome disclosed simultaneously on June 9, 2026. • Multiple critical 'use after free' flaws allow for arbitrary code execution and sandbox escapes.…
Key findings
- 23 vulnerabilities in Google Chrome disclosed simultaneously on June 9, 2026.
- Multiple critical 'use after free' flaws allow for arbitrary code execution and sandbox escapes.
- Vulnerabilities affect diverse components including Bluetooth, Extensions, and PDF handling.
- All disclosed issues are fixed in Chrome version 149.0.7827.103.
- Several vulnerabilities have platform-specific impacts on Linux, Mac, and Windows.
On June 9, 2026, Google Chrome users were urged to update their browsers following the simultaneous disclosure of 23 significant vulnerabilities. This large batch of security flaws, all published on the same day, includes a critical number of high-severity issues, with several potentially allowing for sandbox escapes and arbitrary code execution.
The vulnerabilities span a wide range of Chrome components, with 'Use after free' being the most prevalent vulnerability type, affecting areas such as Tracing, Bluetooth, ServiceWorker, Read Anything, Navigation, PDF handling, Extensions, Proxy, Web Apps, Printing, File Input, and Ozone. Several of these 'use after free' flaws, including CVE-2026-11643, CVE-2026-11642, CVE-2026-11641, CVE-2026-11638, CVE-2026-11630, and CVE-2026-11629, were rated as critical and could lead to arbitrary code execution or heap corruption.
Beyond 'use after free' issues, other critical vulnerability classes were also disclosed. Insufficient validation of untrusted input was identified in UI and Dawn components (CVE-2026-11697, CVE-2026-11676), and an inappropriate implementation in SVG (CVE-2026-11688) and Views (CVE-2026-11682) could also lead to sandbox escapes. A notable vulnerability, CVE-2026-11653, in the Extensions component allowed for bypassing site isolation.
Several vulnerabilities specifically targeted platform-dependent components. For instance, CVE-2026-11699 and CVE-2026-11641 relate to Bluetooth on Mac and Windows respectively, while CVE-2026-11682 and CVE-2026-11659 affect Views and UI on Linux. The Passwords component was also impacted by CVE-2026-11695, which could lead to cross-origin data leakage.
All 23 disclosed vulnerabilities have been addressed in Google Chrome version 149.0.7827.103. The swift disclosure and patching of these numerous flaws underscore the dynamic nature of web browser security and the constant efforts required to maintain user safety. While no specific threat actor or in-the-wild exploitation was mentioned in the initial advisories, the severity of these bugs makes prompt updating a critical priority for all Chrome users.
Users are strongly advised to ensure their Chrome browser is updated to version 149.0.7827.103 or later to mitigate the risks associated with these newly disclosed vulnerabilities. The comprehensive nature of this patch highlights the importance of regular security updates for web browsers, which are often the primary gateway to the internet for many users.