Chromium: 25 Low-Severity Vulnerabilities Disclosed Together on June 4-5, 2026
Key findings • 25 low-severity vulnerabilities disclosed for Google Chrome on June 4-5, 2026. • All issues patched in Chrome version 149.0.7827.53. • Vulnerabilities span multiple compone…
Key findings
- 25 low-severity vulnerabilities disclosed for Google Chrome on June 4-5, 2026.
- All issues patched in Chrome version 149.0.7827.53.
- Vulnerabilities span multiple components including PDFium, Extensions, DevTools, and Permissions.
- Common bug classes include 'use after free', 'inappropriate implementation', and 'insufficient validation'.
- Potential impacts range from UI spoofing and data leakage to sandbox escapes and code execution.
On June 4-5, 2026, a coordinated disclosure event revealed 25 distinct vulnerabilities within the Chromium browser engine, impacting Google Chrome. All of these issues were addressed in Google Chrome version 149.0.7827.53. While categorized internally by Chromium as low-severity, the sheer volume and the variety of potential impacts warrant attention from users and administrators.
Several vulnerabilities fall under the 'use after free' category, a common memory corruption bug. CVE-2026-11306, affecting the PDFium component, and CVE-2026-11230, within Extensions, are examples of this bug class, potentially allowing remote attackers to execute arbitrary code inside a sandbox or perform privilege escalation, respectively. Another 'use after free' vulnerability, CVE-2026-11224, was found in Chromoting on Linux, enabling arbitrary code execution via malicious network traffic.
Other disclosures highlight 'inappropriate implementation' flaws across various components. CVE-2026-11300, CVE-2026-11254, and CVE-2026-11294 in the Permissions and Passwords components could allow remote attackers to perform UI spoofing via crafted HTML pages. Similarly, CVE-2026-11296 and CVE-2026-11239 in Extensions allowed for privilege escalation. Flaws in DevTools, such as CVE-2026-11279 and CVE-2026-11250, could lead to arbitrary code execution within a sandbox or the disclosure of sensitive information from process memory.
Insufficient validation of untrusted input was another recurring theme. CVE-2026-11283 in Shortcuts on Mac, CVE-2026-11259 in Cast, CVE-2026-11244 in WebAuthentication, CVE-2026-11242 in Plugins, CVE-2026-11240 in Loader, and CVE-2026-11220 in Navigation all presented risks. These vulnerabilities could lead to bypassing navigation restrictions, same-origin policy violations, leaking cross-origin data, or bypassing site isolation, often requiring the attacker to have compromised the renderer process first.
Further issues included insufficient policy enforcement in the Sandbox (CVE-2026-11282) and Web Bluetooth (CVE-2026-11236), potentially allowing sandbox escapes. UI-related vulnerabilities like domain spoofing were noted in Tab Hover Cards (CVE-2026-11227) and Tab Strip (CVE-2026-11222). Additionally, CVE-2026-11213 in Reading Mode and CVE-2026-11200 and CVE-2026-11176 in WebRTC and Media respectively, could lead to sandbox escapes or cross-origin data leakage.
All 25 vulnerabilities were patched in Google Chrome version 149.0.7827.53. The broad range of affected components, from PDFium and Extensions to DevTools and Web Bluetooth, underscores the continuous security efforts required to maintain the integrity of a complex browser like Chrome. While rated low severity, the cumulative effect of such a large batch of disclosures highlights the importance of timely updates.