Vendor: Google

Google Cloud Service Mesh und Envoy Proxy: Mehrere Schwachstellen HIGH 7.5 2026-06-24

Ein Angreifer kann mehrere Schwachstellen in Google Cloud Service Mesh und Envoy Proxy ausnutzen, um einen Denial-of-Service-Zustand zu verursachen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen oder andere, nicht näher bezeichnete Angriffe durchzuführen.

Google Cloud Logging und Cloud Console App Engine: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen MEDIUM 5 2026-06-23

Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Google Cloud Logging und Cloud Console App Engine ausnutzen, um Informationen offenzulegen.

Google Cloud Platform (GKE containerd): Mehrere Schwachstellen HIGH 7.5 2026-06-23

Ein entfernter, authentisierter Angreifer kann mehrere Schwachstellen in Google Cloud Platform ausnutzen, um beliebigen Programmcode auszuführen, Sicherheitsmaßnahmen zu umgehen, Daten zu manipulieren, vertrauliche Informationen offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.

CVE-2026-28573 MEDIUM 5.5 2026-06-18

In AndroidManifest.xml, there is a possible persistent denial of service due to a missing permission check. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2026-28575 MEDIUM 5.5 2026-06-17

In PackageInstaller.Session#transfer of frameworks/base/services/core/java/com/android/server/pm/PackageInstallerSession.java, there is a possible memory exhaustion attack due to a logic error in the code. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2026-28576 MEDIUM 5.5 2026-06-17

In Contacts Provider, there is a possible way to access the contacts database due to SQL injection. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2026-28587 MEDIUM 5.5 2026-06-17

In MmsSmsProvider of MmsSmsProvider.java, there is a possible way to retrieve sensitive information due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2026-28615 HIGH 7.8 2026-06-17

In Telecomm, there is a possible way to initiate an unauthorized phone call due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2026-12460 MEDIUM 4.2 2026-06-17

Insufficient policy enforcement in File System Access in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted PDF file. (Chromium security severity: High)

CVE-2026-12462 HIGH 7.5 2026-06-17

Use after free in Media in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

CVE-2026-12464 HIGH 8.3 2026-06-17

Use after free in Browser in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVE-2026-12465 HIGH 8.3 2026-06-17

Object lifecycle issue in Metrics in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVE-2026-12467 HIGH 8.3 2026-06-17

Use after free in Extensions in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVE-2026-12457 MEDIUM 4.2 2026-06-17

Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)

CVE-2026-12458 LOW 3.1 2026-06-17

Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

CVE-2026-12459 MEDIUM 6.1 2026-06-17

Inappropriate implementation in Serial in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)

CVE-2026-12455 HIGH 7.5 2026-06-17

Use after free in Tab Strip in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

CVE-2026-12456 MEDIUM 4.2 2026-06-17

Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.155 allowed an attacker who convinced a user to install a malicious extension to bypass same origin policy via a crafted Chrome Extension. (Chromium security severity: High)

CVE-2026-12450 MEDIUM 6.5 2026-06-17

Inappropriate implementation in Media in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)

CVE-2026-12451 HIGH 8.3 2026-06-17

Use after free in DigitalCredentials in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

CVE-2026-12453 MEDIUM 4.2 2026-06-17

Insufficient validation of untrusted input in Input in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)

CVE-2026-0068 HIGH 7.8 2026-06-17

In createSessionInternal of PackageInstallerService.java, there is a possible method to remove a DPC app from a managed device without DO consent due to desync from persistence. This could lead to local escalation of privilege if a user can install a malicious app with no additional execution privileges needed. User interaction is needed for exploitation.

CVE-2026-0071 HIGH 7.8 2026-06-17

In SettingsLib, there is a possible missing permission check due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2026-0081 HIGH 7.8 2026-06-17

In NFC, there is a possible way to spoof an NFC event due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2026-0082 HIGH 7.8 2026-06-17

In tryStartActivity of NfcDispatcher.java, there is a possible automatic special app access permission assignment due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2026-0083 HIGH 7 2026-06-17

In Nfc::eventCallback() of Nfc.h, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2026-0092 UNKNOWN 0 2026-06-17

In Package Manager, there is a possible device lock controller bypass due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2026-0019 HIGH 7.8 2026-06-17

In SettingsLib, there is a possible way to disable system components due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2026-0057 LOW 3.3 2026-06-17

In Contacts Provider, there is a possible way to access an incoming call's phone number and associated metadata due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2026-0063 HIGH 7.8 2026-06-17

In setAllowedCarriers of PhoneInterfaceManager.java, there is a possible way to disable carrier restrictions due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2026-0064 MEDIUM 5.5 2026-06-17

In multiple places, there is a possible persistent denial of service due to resource exhaustion. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2025-48640 HIGH 8 2026-06-17

In multiple locations, there is a possible 3rd party passkey entry pairing approval due to a missing permission check. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2025-48643 HIGH 7.8 2026-06-17

In multiple locations there is a possible provisioning bypass due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVE-2025-48571 MEDIUM 4.3 2026-06-17

In multiple functions of btm_sec.cc, there is a possible way for an attacker to intercept SMS messages due to a logic error in the code. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.

CVE-2025-48617 HIGH 7.8 2026-06-17

In overrideConfig of CarrierConfigLoader.java, there is a possible way to bypass UID check due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Google Cloud Platform: Mehrere Schwachstellen HIGH 7.5 2026-04-24

Ein Angreifer kann mehrere Schwachstellen in Google Cloud Platform ausnutzen, um einen Cross-Site Scripting Angriff durchzuführen, und um beliebigen Programmcode auszuführen.

Google Android: Mehrere Schwachstellen MEDIUM 5 2026-04-07

Ein Angreifer kann mehrere Schwachstellen in Google Android ausnutzen, um einen nicht näher spezifizierten Angriff durchzuführen, und um einen Denial of Service Angriff durchzuführen.

Google Chrome und Microsoft Edge: Mehrere Schwachstellen HIGH 7.5 2026-04-01

Ein Angreifer kann mehrere Schwachstellen in Google Chrome und Microsoft Edge ausnutzen, um nicht näher definierte Angriffe durchzuführen, darunter möglicherweise Codeausführung, Umgehung von Sicherheitsmaßnahmen, Denial-of-Service, Offenlegung von Informationen und Datenmanipulation.

Google Cloud Platform Envoy Proxy, Istio und Service Mesh: Mehrere Schwachstellen MEDIUM 5 2026-03-27

Ein Angreifer kann mehrere Schwachstellen in Google Cloud Platform ausnutzen, um Sicherheitsvorkehrungen zu umgehen, vertrauliche Informationen offenzulegen oder einen Denial-of-Service-Zustand zu verursachen.

Google Chrome: Mehrere Schwachstellen HIGH 7.5 2026-03-25

Ein Angreifer kann mehrere Schwachstellen in Google Chrome ausnutzen, um nicht näher spezifizierte Angriffe durchzuführen, darunter möglicherweise Codeausführung, Denial-of-Service, Offenlegung von Informationen und Datenmanipulation.

Google Chrome/Microsoft Edge: Mehrere Schwachstellen HIGH 7.5 2026-03-25

Ein Angreifer kann mehrere Schwachstellen in Google Chrome/Microsoft Edge ausnutzen, um nicht näher definierte Angriffe durchzuführen, darunter möglicherweise Codeausführung, Umgehung von Sicherheitsmaßnahmen, Denial-of-Service, Offenlegung von Informationen und Datenmanipulation.