browser security

Google and Microsoft addressed CVE-2026-7954 on May 6–7, 2026, by moving Chrome desktop to 148.0.7778.96/97 and Edge Stable to 148.0.3967.54, fixing a Medium-severity Chromium Shared Storage race that could leak cross-origin data after renderer compromise via crafted HTML. That dry sentence is...

On May 7, 2026, Microsoft published guidance for CVE-2026-7962, a medium-severity Chromium vulnerability in DirectSockets that affects Microsoft Edge because Edge consumes the Chromium open source codebase. The flaw was fixed in Chromium before Chrome 148.0.7778.96 and is addressed in Edge...

Google and Microsoft disclosed CVE-2026-7964 on May 6, 2026, a medium-severity Chromium FileSystem vulnerability fixed in Google Chrome before version 148.0.7778.96 and tracked by Microsoft because Chromium-based Edge inherits the same upstream browser risk. The flaw is not the flashiest item in...

Google and Microsoft disclosed CVE-2026-7996 on May 6–7, 2026, as a low-severity Chromium SSL input-validation flaw fixed in Chrome before 148.0.7778.96 and incorporated into Microsoft Edge Stable 148.0.3967.54 on Windows, macOS, Linux, and Chromium-derived browser deployments. The bug is not...

Google and Microsoft disclosed CVE-2026-7340 on April 28, 2026, as a medium-severity Chrome-on-Windows flaw in ANGLE fixed in Chrome 147.0.7727.138, where a crafted HTML page could trigger an integer overflow and cause an out-of-bounds memory read. The bug is not the scariest item in April’s...

Google and Microsoft disclosed CVE-2026-7354 on April 28, 2026, describing a high-severity out-of-bounds read and write flaw in ANGLE that affects Google Chrome before 147.0.7727.138 and could let a remote attacker attempt a browser sandbox escape through a crafted HTML page. The short version...

The newly disclosed CVE-2026-6317 is a high-severity use-after-free vulnerability in Chrome’s Cast component that Google says could let a remote attacker execute arbitrary code through a crafted HTML page. Google’s stable-channel fix landed on April 15, 2026, and the remedied versions are...

Google’s April 15, 2026 Chrome stable update quietly closed a High-severity memory-corruption flaw in PDFium, tracked as CVE-2026-6305, and the fix now matters well beyond browser hobbyists. The bug affects Chrome versions prior to 147.0.7727.101 and allows a remote attacker to execute arbitrary...

Google’s latest Chromium security cycle has put CVE-2026-6310 in the spotlight: a use-after-free in Dawn that was fixed in Chrome 147.0.7727.101 and described by Google as a potential sandbox escape for a remote attacker who had already compromised the renderer process. Microsoft is tracking the...

Microsoft has recorded CVE-2026-33118 as a Microsoft Edge (Chromium-based) spoofing vulnerability, and the key question for defenders is not simply whether the bug exists, but how much confidence Microsoft has in the underlying technical details. In Microsoft’s own vulnerability model, that...

Google has now published CVE-2026-5865, a type confusion in V8 that affects Google Chrome prior to 147.0.7727.55 and can let a remote attacker execute arbitrary code inside the browser sandbox through a crafted HTML page. Microsoft’s Security Update Guide has picked up the record as well, which...

Chromium’s newly disclosed CVE-2026-5918 is a reminder that browser security flaws do not need to be dramatic to matter. Google says the bug affects Chrome versions prior to 147.0.7727.55 and could let a remote attacker who had already compromised the renderer process leak cross-origin data...

A newly published Chromium flaw, CVE-2026-5859, is the kind of browser vulnerability that security teams should treat as an urgent patch item rather than an abstract identifier. Google says the issue is an integer overflow in WebML affecting Chrome versions prior to 147.0.7727.55, and that a...

Chromium’s CVE-2026-5862 is the kind of browser-security flaw that looks narrowly defined on paper but carries a broad operational footprint in practice. Google says the bug is an inappropriate implementation in V8, the JavaScript engine that powers Chrome and other Chromium-based browsers, and...

Google’s newly published CVE-2026-5868 is the kind of browser bug that looks narrow at first glance and then immediately broadens once you unpack the blast radius. The flaw is a heap buffer overflow in ANGLE affecting Google Chrome on Mac prior to 147.0.7727.55, and Google says a crafted HTML...

Google has disclosed a new high-severity Chrome vulnerability, tracked as CVE-2026-5873, that affects the V8 JavaScript engine and allows a remote attacker to achieve arbitrary code execution inside the browser sandbox through a crafted HTML page. The issue affects Google Chrome versions prior...

Microsoft’s latest Chromium security cycle has surfaced CVE-2026-5872, a use-after-free in Blink that affects Google Chrome prior to 147.0.7727.55 and can let a remote attacker execute code inside the browser sandbox through a crafted HTML page. Microsoft’s Security Update Guide now reflects the...

Google’s newly published CVE-2026-5892 is a reminder that browser security failures do not always look dramatic on paper to be dangerous in practice. The flaw, described as insufficient policy enforcement in PWAs, affects Google Chrome versions before 147.0.7727.55 and could let a remote...

Google’s CVE-2026-5895 is a browser UI spoofing flaw in Chrome on iOS that can let a remote attacker make the Omnibox appear to show something different from the real destination. The bug affects versions prior to 147.0.7727.55, and Google rates the Chromium-side issue as Low severity, which is...

CISA’s April 1 update is a reminder that the Known Exploited Vulnerabilities Catalog remains one of the most operationally important signals in federal cybersecurity. The agency says it has added CVE-2026-5281, described as a Google Dawn use-after-free vulnerability, based on evidence of active...