google security advisories
60 threat alerts tracking vulnerabilities and security advisories that affect google products.
Vulnios monitors google CVE feeds, vendor advisories, CISA KEV listings, and exploit-prediction data continuously. Each alert below is enriched with severity, exploitation status, affected products, and a remediation path. Use this page to scan recent google security news in one place, or click into an individual alert for full detail.
Critical Vulnerability: CVE-2026-10990 — google — chrome
Use after free in Glic in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chro
criticalCVE-2026-10990Critical Vulnerability: CVE-2026-11002 — google — chrome
Use after free in Autofill in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (
criticalCVE-2026-11002Critical Vulnerability: CVE-2026-11113 — google — chrome
Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape v
criticalCVE-2026-11113Critical Vulnerability: CVE-2026-11120 — google — chrome
Insufficient validation of untrusted input in Enterprise Reporting in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a s
criticalCVE-2026-11120Critical Vulnerability: CVE-2026-10931 — google — chrome
Use after free in FileSystem in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
criticalCVE-2026-10931Critical Vulnerability: CVE-2026-10966 — google — chrome
Inappropriate implementation in Codecs in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity:
criticalCVE-2026-10966Critical Vulnerability: CVE-2026-10974 — google — chrome
Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium securit
criticalCVE-2026-10974Critical Vulnerability: CVE-2016-6725 — google — android
A remote code execution vulnerability in the Qualcomm crypto driver in Android before 2016-11-05 could enable a remote attacker to execute arbitrary code within the context of the kernel. This issue i
criticalCVE-2016-6725Critical Vulnerability: CVE-2016-3929 — google — android
Unspecified vulnerability in a Qualcomm component in Android before 2016-10-05 on Nexus 5X and 6P devices has unknown impact and attack vectors, aka internal bug 28823675.
criticalCVE-2016-3929Critical Vulnerability: CVE-2016-6696 — google — android
sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c in a Qualcomm QDSP6v2 driver in Android before 2016-10-05 allows attackers to cause a denial of service or possibly have unspecified other impact via a large
criticalCVE-2016-6696Critical Vulnerability: CVE-2016-6693 — google — android
sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c in a Qualcomm QDSP6v2 driver in Android before 2016-10-05 allows attackers to cause a denial of service or possibly have unspecified other impact via an inva
criticalCVE-2016-6693Critical Vulnerability: CVE-2016-6695 — google — android
sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c in a Qualcomm QDSP6v2 driver in Android before 2016-10-05 allows attackers to cause a denial of service or possibly have unspecified other impact via a craft
criticalCVE-2016-6695Critical Vulnerability: CVE-2016-6692 — google — android
drivers/video/msm/mdss/mdss_mdp_pp.c in the Qualcomm MDSS driver in Android before 2016-10-05 allows attackers to cause a denial of service (invalid pointer access) or possibly have unspecified other
criticalCVE-2016-6692Critical Vulnerability: CVE-2016-6691 — google — android
service/jni/com_android_server_wifi_Gbk2Utf.cpp in the Qualcomm Wi-Fi gbk2utf module in Android before 2016-10-05 allows remote attackers to cause a denial of service (framework crash) or possibly hav
criticalCVE-2016-6691Critical Vulnerability: CVE-2016-6694 — google — android
sound/soc/msm/qdsp6v2/msm-ds2-dap-config.c in a Qualcomm QDSP6v2 driver in Android before 2016-10-05 allows attackers to cause a denial of service or possibly have unspecified other impact via crafted
criticalCVE-2016-6694Critical Vulnerability: CVE-2016-3926 — google — android
Unspecified vulnerability in a Qualcomm component in Android before 2016-10-05 on Nexus 5, 5X, 6, and 6P devices has unknown impact and attack vectors, aka internal bug 28823953.
criticalCVE-2016-3926Critical Vulnerability: CVE-2016-3927 — google — android
Unspecified vulnerability in a Qualcomm component in Android before 2016-10-05 on Nexus 5X and 6P devices has unknown impact and attack vectors, aka internal bug 28823244.
criticalCVE-2016-3927Critical Vulnerability: CVE-2016-3877 — google — android
Unspecified vulnerability in Android before 2016-09-01 has unknown impact and attack vectors.
criticalCVE-2016-3877Critical Vulnerability: CVE-2016-5146 — google — chrome
Multiple unspecified vulnerabilities in Google Chrome before 52.0.2743.116 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.
criticalCVE-2016-5146Critical Vulnerability: CVE-2016-5140 — google — chrome
Heap-based buffer overflow in the opj_j2k_read_SQcd_SQcc function in j2k.c in OpenJPEG, as used in PDFium in Google Chrome before 52.0.2743.116, allows remote attackers to cause a denial of service or
criticalCVE-2016-5140Critical Vulnerability: CVE-2016-3819 — google — android
Integer overflow in codecs/on2/h264dec/source/h264bsd_dpb.c in libstagefright in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-08-01 allows remot
criticalCVE-2016-3819Critical Vulnerability: CVE-2016-3821 — google — android
libmedia in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-08-01 has certain incorrect declarations, which allows remote attackers to execute arbi
criticalCVE-2016-3821Critical Vulnerability: CVE-2016-5142 — google — chrome
The Web Cryptography API (aka WebCrypto) implementation in Blink, as used in Google Chrome before 52.0.2743.116, does not properly copy data buffers, which allows remote attackers to cause a denial of
criticalCVE-2016-5142Critical Vulnerability: CVE-2016-3840 — google — android
Conscrypt in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-08-05 does not properly identify session reuse, which allows remote attackers to execute arbitrary co
criticalCVE-2016-3840Critical Vulnerability: CVE-2014-9902 — google — android
Buffer overflow in CORE/SYS/legacy/src/utils/src/dot11f.c in the Qualcomm Wi-Fi driver in Android before 2016-08-05 on Nexus 7 (2013) devices allows remote attackers to execute arbitrary code via a cr
criticalCVE-2014-9902Critical Vulnerability: CVE-2016-5143 — google — chrome
The Developer Tools (aka DevTools) subsystem in Blink, as used in Google Chrome before 52.0.2743.116, mishandles the script-path hostname, remoteBase parameter, and remoteFrontendUrl parameter, which
criticalCVE-2016-5143Critical Vulnerability: CVE-2016-3820 — google — android
The ih264d decoder in mediaserver in Android 6.x before 2016-08-01 mishandles slice numbers, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) vi
criticalCVE-2016-3820Critical Vulnerability: CVE-2016-5144 — google — chrome
The Developer Tools (aka DevTools) subsystem in Blink, as used in Google Chrome before 52.0.2743.116, mishandles the script-path hostname, remoteBase parameter, and remoteFrontendUrl parameter, which
criticalCVE-2016-5144Critical Vulnerability: CVE-2016-1706 — google — chrome
The PPAPI implementation in Google Chrome before 52.0.2743.82 does not validate the origin of IPC messages to the plugin broker process that should have come from the browser process, which allows rem
criticalCVE-2016-1706Critical Vulnerability: CVE-2016-2506 — google — android
DRMExtractor.cpp in libstagefright in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-07-01 does not validate a certain offset value, which allows
criticalCVE-2016-2506Critical Vulnerability: CVE-2016-3743 — google — android
decoder/ih264d_api.c in mediaserver in Android 6.x before 2016-07-01 does not initialize certain data structures, which allows remote attackers to execute arbitrary code or cause a denial of service (
criticalCVE-2016-3743Critical Vulnerability: CVE-2016-3741 — google — android
The H.264 decoder in mediaserver in Android 6.x before 2016-07-01 does not initialize certain slice data, which allows remote attackers to execute arbitrary code or cause a denial of service (memory c
criticalCVE-2016-3741Critical Vulnerability: CVE-2016-3742 — google — android
decoder/ih264d_process_intra_mb.c in mediaserver in Android 6.x before 2016-07-01 mishandles intra mode, which allows remote attackers to execute arbitrary code or cause a denial of service (memory co
criticalCVE-2016-3742Critical Vulnerability: CVE-2016-3745 — google — android
Multiple buffer overflows in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-07-01 allow attackers to gain privileges via a crafted application tha
criticalCVE-2016-3745Critical Vulnerability: CVE-2016-2473 — google — android
The Qualcomm Wi-Fi driver in Android before 2016-06-01 on Nexus 7 (2013) devices allows attackers to gain privileges via a crafted application, aka internal bug 27777501.
criticalCVE-2016-2473Critical Vulnerability: CVE-2016-2496 — google — android
The Framework UI permission-dialog implementation in Android 6.x before 2016-06-01 allows attackers to conduct tapjacking attacks and access arbitrary private-storage files by creating a partially ove
criticalCVE-2016-2496Critical Vulnerability: CVE-2016-2428 — google — android
libAACdec/src/aacdec_drc.cpp in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-05-01 does not properly limit the number of threads, which allows r
criticalCVE-2016-2428Critical Vulnerability: CVE-2016-2429 — google — android
libFLAC/stream_decoder.c in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-05-01 does not prevent free operations on uninitialized memory, which a
criticalCVE-2016-2429Critical Vulnerability: CVE-2016-0835 — google — android
decoder/impeg2d_dec_hdr.c in mediaserver in Android 6.x before 2016-04-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file th
criticalCVE-2016-0835Critical Vulnerability: CVE-2016-0837 — google — android
MPEG4Extractor.cpp in libstagefright in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 allows remote attackers to execute arbitrary code or
criticalCVE-2016-0837Critical Vulnerability: CVE-2016-0839 — google — android
post_proc/volume_listener.c in mediaserver in Android 6.x before 2016-04-01 mishandles deleted effect context, which allows remote attackers to execute arbitrary code or cause a denial of service (mem
criticalCVE-2016-0839Critical Vulnerability: CVE-2016-2418 — google — android
media/libmedia/IOMX.cpp in mediaserver in Android 6.x before 2016-04-01 does not initialize certain metadata buffer pointers, which allows attackers to obtain sensitive information from process memory
criticalCVE-2016-2418Critical Vulnerability: CVE-2016-2417 — google — android
media/libmedia/IOMX.cpp in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not initialize a parameter data structure, which allows attac
criticalCVE-2016-2417Critical Vulnerability: CVE-2016-2416 — google — android
libs/gui/BufferQueueConsumer.cpp in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not check for the android.permission.DUMP permission
criticalCVE-2016-2416Critical Vulnerability: CVE-2016-0838 — google — android
Sonivox in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not check for a negative number of samples, which allows remote attackers to
criticalCVE-2016-0838Critical Vulnerability: CVE-2016-2419 — google — android
media/libmedia/IDrm.cpp in mediaserver in Android 6.x before 2016-04-01 does not initialize a certain key-request data structure, which allows attackers to obtain sensitive information from process me
criticalCVE-2016-2419Critical Vulnerability: CVE-2016-0841 — google — android
media/libmedia/mediametadataretriever.cpp in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 mishandles cleared service binders, which allows
criticalCVE-2016-0841Critical Vulnerability: CVE-2016-1621 — google — android
libvpx in mediaserver in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49H, and 6.0 before 2016-03-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption)
criticalCVE-2016-1621Critical Vulnerability: CVE-2016-0816 — google — android
mediaserver in Android 6.x before 2016-03-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, related to decoder/ih264d_pars
criticalCVE-2016-0816Critical Vulnerability: CVE-2016-0815 — google — android
The MPEG4Source::fragmentedRead function in MPEG4Extractor.cpp in libstagefright in mediaserver in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49H, and 6.x before 2016-03-01 allows remote attackers
criticalCVE-2016-0815Critical Vulnerability: CVE-2016-2843 — google — chrome, v8
Multiple unspecified vulnerabilities in Google V8 before 4.9.385.26, as used in Google Chrome before 49.0.2623.75, allow attackers to cause a denial of service or possibly have other impact via unknow
criticalCVE-2016-2843Critical Vulnerability: CVE-2016-1642 — google — chrome
Multiple unspecified vulnerabilities in Google Chrome before 49.0.2623.75 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.
criticalCVE-2016-1642Critical Vulnerability: CVE-2016-1635 — google — chrome
extensions/renderer/render_frame_observer_natives.cc in Google Chrome before 49.0.2623.75 does not properly consider object lifetimes and re-entrancy issues during OnDocumentElementCreated handling, w
criticalCVE-2016-1635Critical Vulnerability: CVE-2016-1639 — google — chrome
Use-after-free vulnerability in browser/extensions/api/webrtc_audio_private/webrtc_audio_private_api.cc in the WebRTC Audio Private API implementation in Google Chrome before 49.0.2623.75 allows remot
criticalCVE-2016-1639Critical Vulnerability: CVE-2016-1633 — google — chrome
Use-after-free vulnerability in Blink, as used in Google Chrome before 49.0.2623.75, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
criticalCVE-2016-1633Critical Vulnerability: CVE-2016-1636 — google — chrome
The PendingScript::notifyFinished function in WebKit/Source/core/dom/PendingScript.cpp in Google Chrome before 49.0.2623.75 relies on memory-cache information about integrity-check occurrences instead
criticalCVE-2016-1636Critical Vulnerability: CVE-2016-0804 — google — android
The NuPlayer::GenericSource::notifyPreparedAndCleanup function in media/libmediaplayerservice/nuplayer/GenericSource.cpp in mediaserver in Android 5.x before 5.1.1 LMY49G and 6.x before 2016-02-01 imp
criticalCVE-2016-0804Critical Vulnerability: CVE-2016-0803 — google — android
libstagefright in mediaserver in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49G, and 6.x before 2016-02-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory cor
criticalCVE-2016-0803Critical Vulnerability: CVE-2015-6636 — google — android
mediaserver in Android 5.x before 5.1.1 LMY49F and 6.0 before 2016-01-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, ak
criticalCVE-2015-6636Critical Vulnerability: CVE-2015-6642 — google — android
The kernel in Android before 5.1.1 LMY49F and 6.0 before 2016-01-01 allows attackers to obtain sensitive information, and consequently bypass an unspecified protection mechanism, via unknown vectors,
criticalCVE-2015-6642
Showing the 60 most recent. Older alerts are archived but still reachable via search and the main feed.
Track google exposure across your environment
Vulnios automatically cross-references your asset inventory against new google CVEs and surfaces only what affects you. No more sifting manually — actionable findings only.
Start a free scan