You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
webrtc security
About this tag
WebRTC security on Windows involves tracking and patching memory-safety vulnerabilities in Chromium's WebRTC implementation, which underpins real-time communication in Chrome, Edge, and other browsers. Recent high-severity CVEs include use-after-free flaws (CVE-2026-7928, CVE-2026-7336, CVE-2026-5860), out-of-bounds reads and writes (CVE-2026-11667, CVE-2026-7951), and heap overflows (CVE-2026-7339). These bugs allow remote code execution inside the browser sandbox via crafted HTML pages, often requiring user interaction. For Windows administrators, the recurring theme is that even medium-severity WebRTC flaws pose elevated enterprise risk because the browser is a critical perimeter. Prompt updates to Chrome and downstream Chromium browsers like Edge are essential to mitigate chainable heap corruption and other exploit vectors.
Google Chrome CVE-2026-14078 is a WebRTC input-validation flaw fixed in Chrome 150.0.7871.47, published by Chrome on June 30, 2026, and later enriched by NVD and CISA as a remotely reachable privilege-escalation issue triggered through a crafted HTML page. The uncomfortable part is not that...
Google Chrome before 149.0.7827.103 contains CVE-2026-11667, a high-severity WebRTC out-of-bounds read flaw disclosed June 8, 2026, that could let a remote attacker who already compromised Chrome’s GPU process trigger heap corruption through a crafted HTML page. The important word in that...
Google and Microsoft disclosed CVE-2026-7928 on May 6, 2026, as a high-severity use-after-free flaw in Chromium’s WebRTC implementation affecting Google Chrome on Windows before version 148.0.7778.96, where a crafted HTML page could allow remote code execution inside the browser sandbox. The bug...
Google and Microsoft patched CVE-2026-7951 in early May 2026 after Chrome versions before 148.0.7778.96 were found vulnerable to an out-of-bounds write in WebRTC that could let a remote attacker run code inside Chrome’s sandbox through a crafted HTML page. The bug is not the loudest flaw in...
Google and Microsoft disclosed CVE-2026-7339 on April 28, 2026, as a heap-based buffer overflow in Chromium’s WebRTC component affecting Google Chrome before 147.0.7727.138, with exploitation possible through a crafted HTML page that triggers heap corruption after user interaction. The bug is...
On April 28, 2026, Google shipped Chrome 147.0.7727.137/138 for Windows and macOS and 147.0.7727.137 for Linux, fixing CVE-2026-7336, a high-severity use-after-free flaw in WebRTC that could let a remote attacker run code inside Chrome’s sandbox through a crafted HTML page. The uncomfortable...
Google’s latest Chromium security disclosure, CVE-2026-5860, is another reminder that browser bugs rarely stay “just browser bugs” for long. Microsoft’s Security Update Guide records the issue as a use-after-free in WebRTC affecting Google Chrome versions prior to 147.0.7727.55, and the record...