VYPR
Published Jun 4, 2026· Updated Jun 5, 2026· 1 source

Chromium: 25 Low-Severity Vulnerabilities Disclosed Together on June 4

Key findings • 25 low-severity vulnerabilities in Google Chrome disclosed simultaneously on June 4, 2026. • Vulnerabilities affect diverse components including Web Bluetooth, Extensions, and …

Key findings

  • 25 low-severity vulnerabilities in Google Chrome disclosed simultaneously on June 4, 2026.
  • Vulnerabilities affect diverse components including Web Bluetooth, Extensions, and Canvas.
  • Potential impacts range from domain spoofing and sandbox escapes to code execution.
  • All disclosed issues are addressed in Google Chrome version 149.0.7827.53.
  • Several vulnerabilities involve use-after-free bugs and insufficient input validation.

On June 4, 2026, a coordinated disclosure event brought to light 25 distinct vulnerabilities within the Chromium browser engine, impacting Google Chrome. All these issues were addressed in version 149.0.7827.53. While categorized internally by Chromium as low-severity, the sheer volume and the variety of potential impacts underscore the importance of timely updates for users.

The disclosed vulnerabilities span numerous components of the browser, including core functionalities and specific features. Several issues relate to insufficient policy enforcement or validation of untrusted input, leading to potential security bypasses. For instance, CVE-2026-11236 involves insufficient policy enforcement in Web Bluetooth, potentially allowing a sandbox escape. Similarly, CVE-2026-11220 and CVE-2026-11217 highlight insufficient validation in Navigation and inappropriate implementation in Fenced Frames, respectively, both enabling bypasses of site isolation.

Another significant theme among the disclosures involves use-after-free vulnerabilities. These memory corruption bugs, which can lead to arbitrary code execution or information disclosure, were found in components such as Extensions (CVE-2026-11230), Chromoting (CVE-2026-11224), Canvas (CVE-2026-11136), Base (CVE-2026-11071), and WebSockets (CVE-2026-11068). The successful exploitation of these flaws could allow attackers to execute code within the browser's sandbox or gain access to sensitive process memory.

Several vulnerabilities also touch upon the browser's user interface and security indicators, potentially enabling deceptive practices. CVE-2026-11227 and CVE-2026-11222, affecting Tab Hover Cards and the Tab Strip respectively, allowed for domain spoofing via crafted inputs. Additionally, CVE-2026-11169 and CVE-2026-11122, related to XML and Keyboard functionalities, could lead to arbitrary script or HTML injection (UXSS).

Other notable vulnerabilities include data leakage risks in WebRTC (CVE-2026-11200), Media (CVE-2026-11106), and Printing (CVE-2026-11093), where attackers could potentially exfiltrate cross-origin data. Privilege escalation was also a concern, with CVE-2026-11149 in Extensions and CVE-2026-11108 in NFC on Android allowing for elevated permissions under certain conditions.

The disclosure, as noted by Vypr Intelligence, affects diverse components and has potential impacts ranging from UI spoofing to sandbox escapes and code execution. While all issues are classified as low-severity by Chromium's internal metrics, their collective presence highlights the ongoing security challenges in complex software like web browsers. Users are strongly advised to ensure they are running Google Chrome version 149.0.7827.53 or later to benefit from these patches.

This batch of vulnerabilities, despite their low severity classification, serves as a reminder that even seemingly minor flaws can be chained or exploited in specific scenarios. The broad range of affected components, from core rendering engines to specific features like Web Bluetooth and NFC, emphasizes the need for continuous vigilance and prompt patching across the entire software ecosystem. Staying updated remains the most effective defense against such disclosures.

Synthesized by Vypr AI