VYPR
Published Jun 5, 2026· 1 source

Chromium: 25 Vulnerabilities Disclosed Together, Affecting Chrome 149.0.7827.53

Key findings • 25 vulnerabilities in Chromium disclosed together on June 4-5, 2026. • All disclosed issues are fixed in Google Chrome version 149.0.7827.53. • Vulnerabilities span multipl…

Key findings

  • 25 vulnerabilities in Chromium disclosed together on June 4-5, 2026.
  • All disclosed issues are fixed in Google Chrome version 149.0.7827.53.
  • Vulnerabilities span multiple components including Permissions, Extensions, and SVG.
  • Bug classes include 'inappropriate implementation', 'insufficient validation', and 'use after free'.
  • Potential impacts range from UI spoofing and data leakage to privilege escalation and code execution.
  • Despite internal low-severity ratings, the volume and variety of bugs are notable.

On June 4-5, 2026, a significant batch of 25 vulnerabilities affecting the Chromium browser engine, which underpins Google Chrome, were disclosed. These vulnerabilities, though internally classified as low-severity by Chromium security standards, span a wide array of components and potential impacts. All issues have been addressed in Google Chrome version 149.0.7827.53.

The disclosures highlight the ongoing security efforts within the development of the widely used web browser. The vulnerabilities affect various components, including Permissions, Autofill, Loader, Extensions, Safe Browsing, ServiceWorker, Workers, XML, SVG, Site Isolation, Blink, Canvas, Chromoting, Printing, Cast, and Payments. The disclosures occurred within a tight one-hour window on June 4th and 5th, 2026, indicating a coordinated release.

Several vulnerabilities fall under the category of 'inappropriate implementation' or 'insufficient validation.' For instance, CVE-2026-11300 and CVE-2026-11254, both rated Medium, involve inappropriate implementation in Permissions, allowing for UI spoofing. Similarly, CVE-2026-11265, also Medium, relates to an inappropriate implementation in Autofill, potentially leading to cross-origin data leakage. CVE-2026-11240, a Low severity bug, stems from insufficient validation of untrusted input in the Loader component, enabling a bypass of site isolation.

More critical impacts were noted in other disclosures. CVE-2026-11239, rated High, involves an inappropriate implementation in Extensions, allowing for privilege escalation. Additionally, several 'use after free' vulnerabilities were identified. CVE-2026-11171, CVE-2026-11136, and CVE-2026-11000, all rated High with CVSSv3 scores of 8.8, are use-after-free bugs in Base, Canvas, and Fonts respectively, with the potential to execute arbitrary code within the sandbox. CVE-2026-11000 specifically affects Linux versions of Chrome.

Other notable vulnerabilities include type confusion in XML (CVE-2026-11196), which could lead to sensitive information disclosure, and UXSS vulnerabilities in XML (CVE-2026-11169), allowing for script or HTML injection. Exploitation vectors often involved crafted HTML pages or specific file types like RAR files (CVE-2026-11210).

The batch of vulnerabilities spans across different platforms, including desktop and mobile versions of Chrome (Android and iOS). This broad impact underscores the importance of keeping the browser updated to the latest version, 149.0.7827.53, which addresses all these disclosed issues.

While the internal Chromium security ratings for these vulnerabilities are predominantly Low, the sheer volume and the variety of potential impacts, ranging from UI spoofing and data leakage to privilege escalation and arbitrary code execution, warrant attention from users and administrators. The coordinated disclosure of these 25 CVEs on June 4-5, 2026, emphasizes the continuous security patching cycle for the Chromium project.

Synthesized by Vypr AI