You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
chrome security
About this tag
The chrome security tag on WindowsForum covers recent vulnerabilities and patches for Google Chrome on Windows, with a focus on the June 30, 2026 update to version 150.0.7871.47. Discussions include medium-severity flaws such as UI spoofing in History, Passwords, TabStrip, and Permissions, as well as a Skia memory leak, DataTransfer input-validation issue, WebAppInstalls domain spoofing, and a SanitizerAPI same-origin bypass. These threads emphasize that while individual CVSS scores are modest, the bugs collectively undermine browser trust boundaries and are critical for Windows administrators to patch promptly. The tag provides practical guidance on updating Chrome and understanding the real-world impact of these security fixes.
Google disclosed CVE-2026-13966 on June 30, 2026, as a medium-severity Chrome History flaw fixed before version 150.0.7871.47, allowing a remote attacker to spoof browser interface cues through a crafted HTML page if the user interacted with it. The National Vulnerability Database later added...
Google Chrome’s June 30, 2026 desktop stable update fixed CVE-2026-13971, a medium-severity Skia memory-initialization flaw affecting Chrome before 150.0.7871.47 that could let an attacker with a compromised renderer read potentially sensitive process memory through a crafted HTML page. The bug...
Google Chrome before version 150.0.7871.47 contained CVE-2026-13982, a medium-severity flaw in the browser’s Passwords interface that could let an attacker spoof security UI after first compromising the renderer process with a crafted HTML page. The vulnerability was published by Chrome on June...
Google Chrome before version 150.0.7871.47 contains CVE-2026-13984, a medium-severity TabStrip flaw disclosed on June 30, 2026, that can let a remote attacker spoof security-related browser UI through a crafted HTML page. The bug is not a code-execution monster, and that is exactly why it is...
Google fixed CVE-2026-13990 in Chrome 150.0.7871.47 for Windows on June 30, 2026, closing a medium-severity DataTransfer input-validation flaw that could let an attacker, after compromising Chrome’s renderer process, spoof browser UI through a crafted HTML page. The entry is now live in the...
Google disclosed CVE-2026-13993 on June 30, 2026, as a medium-severity Chrome WebAppInstalls flaw fixed before version 150.0.7871.47, where a crafted HTML page and specific user gestures could misrepresent a domain during web app installation. That sounds modest next to memory corruption and...
Google Chrome before 150.0.7871.47 contains CVE-2026-13996, a medium-severity Chromium Permissions bug disclosed on June 30, 2026, that lets a remote attacker spoof browser security UI with a crafted HTML page. The dry database wording makes it sound like a minor paperwork entry in the endless...
Google fixed CVE-2026-14023, a medium-severity Chrome SanitizerAPI input-validation flaw that could let a remote attacker bypass same-origin protections with a crafted HTML page, in Chrome 150.0.7871.47 for Windows and Mac after publishing the stable desktop update on June 30, 2026. The bug is...
Google fixed CVE-2026-14025 in the June 30, 2026 Chrome Stable desktop update, closing a Mac-specific use-after-free flaw in Chrome’s Views interface code before version 150.0.7871.47 that could let a remote attacker trigger heap corruption through a crafted page and user gestures. The bug is...
Google disclosed CVE-2026-14058 on June 30, 2026, as a low-severity Chrome Parser flaw fixed before version 150.0.7871.47, allowing a remote attacker to bypass Content Security Policy protections with a crafted HTML page if a user visited it. The National Vulnerability Database later added the...
Google disclosed CVE-2026-14111 on June 30, 2026, as a low-severity use-after-free flaw in Chrome’s WebProtect component before version 150.0.7871.47, exploitable only after an attacker persuaded a user to install a malicious Chrome extension. The bug is not the scariest item in Chrome 150’s...
Google fixed CVE-2026-14118 on June 30, 2026, in Chrome 150.0.7871.47 for Windows and Mac, after a low-severity DevTools validation flaw could let a remote attacker leak cross-origin data if a user performed specific UI gestures on a crafted page. The bug is not the kind of Chrome emergency that...
Google Chrome’s CVE-2026-14120 was published on June 30, 2026, for a DevTools flaw fixed before Chrome 150.0.7871.47 that could let an attacker who had already compromised the renderer process attempt a sandbox escape through a crafted HTML page. The short operational answer is that NVD does...
Google fixed CVE-2026-13806 in Chrome 150.0.7871.47 for Windows and Mac after disclosing that earlier builds allowed a remote attacker, already inside Chrome’s renderer process, to bypass site isolation through a crafted HTML page using insufficient input validation in Accessibility. The...
Google Chrome fixed CVE-2026-13799, a high-severity use-after-free flaw in its QUIC networking code, in the desktop Stable Channel update published June 30, 2026, with Chrome versions before 150.0.7871.47 listed as vulnerable by the Chrome CVE record and the National Vulnerability Database. The...
Google fixed CVE-2026-13796 in Chrome 150.0.7871.47 for Windows and macOS on June 30, 2026, addressing a high-severity Chromecast integer overflow that could let an attacker escape Chrome’s sandbox after first compromising the renderer. The vulnerability is not a garden-variety “visit a bad page...
Google Chrome before version 150.0.7871.47 contains CVE-2026-13978, a medium-severity PageInfo policy-enforcement flaw disclosed on June 30, 2026, that can let a remote attacker spoof browser UI through a crafted HTML page when user interaction is involved. The bug is not a memory-corruption...
Google Chrome before version 150.0.7871.47 contains CVE-2026-13979, a medium-severity Chromium Paint flaw disclosed on June 30, 2026, that can let a remote attacker spoof browser UI through a crafted HTML page after convincing a user to visit it. The National Vulnerability Database now lists the...
Google fixed CVE-2026-14000 in the Chrome 150 stable release on June 30, 2026, after disclosing that older Chrome builds could allow a remote attacker to inject arbitrary scripts or HTML through a crafted page abusing XML handling. The flaw is rated Medium by Chromium and scored 6.1 by CISA’s...
Google fixed CVE-2026-14002 in Chrome 150.0.7871.47 for Windows and Mac on June 30, 2026, closing a medium-severity Geolocation implementation flaw that could let an attacker who had already compromised Chrome’s renderer process spoof browser UI with a crafted HTML page. The uncomfortable part...