彙總 Google — Chrome, Android & Chromium Security Issues 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
已披露問題常與 緩衝區溢位、輸入驗證問題與路徑處理缺陷 相關,可能在 系統元件與伺服器部署 場景中帶來 異常行為與檔案覆寫 等暴露風險。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2026-28573 | In AndroidManifest.xml, there is a possible persistent denial of service due to a missing permission check. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | [email protected] | 10.0 | 0.15% | 2026-06-18 | 2026-06-22 |
| CVE-2026-28615 | In Telecomm, there is a possible way to initiate an unauthorized phone call due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | [email protected] | 10.0 | 0.15% | 2026-06-17 | 2026-06-18 |
| CVE-2026-28587 | In MmsSmsProvider of MmsSmsProvider.java, there is a possible way to retrieve sensitive information due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | [email protected] | 10.0 | 0.14% | 2026-06-17 | 2026-06-17 |
| CVE-2026-28576 | In Contacts Provider, there is a possible way to access the contacts database due to SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. | [email protected] | 10.0 | 0.15% | 2026-06-17 | 2026-06-17 |
| CVE-2026-28575 | In PackageInstaller.Session#transfer of frameworks/base/services/core/java/com/android/server/pm/PackageInstallerSession.java, there is a possible memory exhaustion attack due to a logic error in the code. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. | [email protected] | 10.0 | 0.15% | 2026-06-17 | 2026-06-17 |
| CVE-2026-12469 | Uninitialized Use in GPU in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | [email protected] | 4.3 | 0.21% | 2026-06-17 | 2026-06-18 |
| CVE-2026-12468 | Race in Updater in Google Chrome on Mac prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | [email protected] | 8.3 | 0.14% | 2026-06-17 | 2026-06-18 |
| CVE-2026-12467 | Use after free in Extensions in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | [email protected] | 8.3 | 0.22% | 2026-06-17 | 2026-06-18 |
| CVE-2026-12466 | Heap buffer overflow in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) | [email protected] | 8.8 | 0.40% | 2026-06-17 | 2026-06-18 |
| CVE-2026-12465 | Object lifecycle issue in Metrics in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | [email protected] | 8.3 | 0.24% | 2026-06-17 | 2026-06-18 |
| CVE-2026-12464 | Use after free in Browser in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | [email protected] | 8.3 | 0.22% | 2026-06-17 | 2026-06-18 |
| CVE-2026-12463 | Inappropriate implementation in Views in Google Chrome on Linux prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High) | [email protected] | 4.7 | 0.13% | 2026-06-17 | 2026-06-18 |
| CVE-2026-12462 | Use after free in Media in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) | [email protected] | 7.5 | 0.26% | 2026-06-17 | 2026-06-18 |
| CVE-2026-12461 | Out of bounds read in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High) | [email protected] | 6.5 | 0.22% | 2026-06-17 | 2026-06-18 |
| CVE-2026-12460 | Insufficient policy enforcement in File System Access in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted PDF file. (Chromium security severity: High) | [email protected] | 4.2 | 0.15% | 2026-06-17 | 2026-06-17 |
| CVE-2026-12459 | Inappropriate implementation in Serial in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High) | [email protected] | 6.1 | 0.18% | 2026-06-17 | 2026-06-17 |
| CVE-2026-12458 | Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | [email protected] | 3.1 | 0.18% | 2026-06-17 | 2026-06-17 |
| CVE-2026-12457 | Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High) | [email protected] | 4.2 | 0.14% | 2026-06-17 | 2026-06-17 |
| CVE-2026-12456 | Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.155 allowed an attacker who convinced a user to install a malicious extension to bypass same origin policy via a crafted Chrome Extension. (Chromium security severity: High) | [email protected] | 4.2 | 0.13% | 2026-06-17 | 2026-06-17 |
| CVE-2026-12455 | Use after free in Tab Strip in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | [email protected] | 7.5 | 0.22% | 2026-06-17 | 2026-06-18 |