Google Chrome vulnerabilities
3,975 known vulnerabilities affecting google/chrome.
Total CVEs
3,975
CISA KEV
74
actively exploited
Public exploits
63
Exploited in wild
65
Severity breakdown
CRITICAL297HIGH2024MEDIUM1626LOW17UNKNOWN11
Vulnerabilities
Page 116 of 199
CVE-2018-18354HIGHCVSS 8.8fixed in 71.0.3578.80≥ unspecified, < 71.0.3578.802018-12-11
CVE-2018-18354 [HIGH] CWE-20 CVE-2018-18354: Insufficient validate of external protocols in Shell Integration in Google Chrome on Windows prior t
Insufficient validate of external protocols in Shell Integration in Google Chrome on Windows prior to 71.0.3578.80 allowed a remote attacker to launch external programs via a crafted HTML page.
nvd
CVE-2018-18335HIGHCVSS 8.8fixed in 71.0.3578.80≥ unspecified, < 71.0.3578.802018-12-11
CVE-2018-18335 [HIGH] CWE-787 CVE-2018-18335: Heap buffer overflow in Skia in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to pot
Heap buffer overflow in Skia in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
nvd
CVE-2018-18342HIGHCVSS 8.8fixed in 71.0.3578.80≥ unspecified, < 71.0.3578.802018-12-11
CVE-2018-18342 [HIGH] CWE-787 CVE-2018-18342: Execution of user supplied Javascript during object deserialization can update object length leading
Execution of user supplied Javascript during object deserialization can update object length leading to an out of bounds write in V8 in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
nvd
CVE-2018-18339HIGHCVSS 8.8fixed in 71.0.3578.80≥ unspecified, < 71.0.3578.802018-12-11
CVE-2018-18339 [HIGH] CWE-416 CVE-2018-18339: Incorrect object lifecycle in WebAudio in Google Chrome prior to 71.0.3578.80 allowed a remote attac
Incorrect object lifecycle in WebAudio in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
nvd
CVE-2018-18341HIGHCVSS 8.8fixed in 71.0.3578.80≥ unspecified, < 71.0.3578.802018-12-11
CVE-2018-18341 [HIGH] CWE-190 CVE-2018-18341: An integer overflow leading to a heap buffer overflow in Blink in Google Chrome prior to 71.0.3578.8
An integer overflow leading to a heap buffer overflow in Blink in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
nvd
CVE-2018-18337HIGHCVSS 8.8fixed in 71.0.3578.80≥ unspecified, < 71.0.3578.802018-12-11
CVE-2018-18337 [HIGH] CWE-416 CVE-2018-18337: Incorrect handling of stylesheets leading to a use after free in Blink in Google Chrome prior to 71.
Incorrect handling of stylesheets leading to a use after free in Blink in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
nvd
CVE-2018-18338HIGHCVSS 8.8fixed in 71.0.3578.80≥ unspecified, < 71.0.3578.802018-12-11
CVE-2018-18338 [HIGH] CWE-787 CVE-2018-18338: Incorrect, thread-unsafe use of SkImage in Canvas in Google Chrome prior to 71.0.3578.80 allowed a r
Incorrect, thread-unsafe use of SkImage in Canvas in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
nvd
CVE-2018-17480HIGHCVSS 8.8KEVfixed in 71.0.3578.80≥ unspecified, < 71.0.3578.802018-12-11
CVE-2018-17480 [HIGH] CWE-787 CVE-2018-17480: Execution of user supplied Javascript during array deserialization leading to an out of bounds write
Execution of user supplied Javascript during array deserialization leading to an out of bounds write in V8 in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
nvd
CVE-2018-17481HIGHCVSS 8.8fixed in 71.0.3578.98≥ unspecified, < 71.0.3578.982018-12-11
CVE-2018-17481 [HIGH] CWE-416 CVE-2018-17481: Incorrect object lifecycle handling in PDFium in Google Chrome prior to 71.0.3578.98 allowed a remot
Incorrect object lifecycle handling in PDFium in Google Chrome prior to 71.0.3578.98 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.
nvd
CVE-2018-18343HIGHCVSS 8.8fixed in 71.0.3578.80≥ unspecified, < 71.0.3578.802018-12-11
CVE-2018-18343 [HIGH] CWE-416 CVE-2018-18343: Incorrect handing of paths leading to a use after free in Skia in Google Chrome prior to 71.0.3578.8
Incorrect handing of paths leading to a use after free in Skia in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
nvd
CVE-2018-18359HIGHCVSS 8.8fixed in 71.0.3578.80≥ unspecified, < 71.0.3578.802018-12-11
CVE-2018-18359 [HIGH] CWE-125 CVE-2018-18359: Incorrect handling of Reflect.construct in V8 in Google Chrome prior to 71.0.3578.80 allowed a remot
Incorrect handling of Reflect.construct in V8 in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
nvd
CVE-2018-18347HIGHCVSS 8.8fixed in 71.0.3578.80≥ unspecified, < 71.0.3578.802018-12-11
CVE-2018-18347 [HIGH] CWE-20 CVE-2018-18347: Incorrect handling of failed navigations with invalid URLs in Navigation in Google Chrome prior to 7
Incorrect handling of failed navigations with invalid URLs in Navigation in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to trick a user into executing javascript in an arbitrary origin via a crafted HTML page.
nvd
CVE-2018-18340HIGHCVSS 8.8fixed in 71.0.3578.80≥ unspecified, < 71.0.3578.802018-12-11
CVE-2018-18340 [HIGH] CWE-416 CVE-2018-18340: Incorrect object lifecycle in MediaRecorder in Google Chrome prior to 71.0.3578.80 allowed a remote
Incorrect object lifecycle in MediaRecorder in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
nvd
CVE-2018-18356HIGHCVSS 8.8fixed in 71.0.3578.80≥ unspecified, < 71.0.3578.802018-12-11
CVE-2018-18356 [HIGH] CWE-190 CVE-2018-18356: An integer overflow in path handling lead to a use after free in Skia in Google Chrome prior to 71.0
An integer overflow in path handling lead to a use after free in Skia in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
nvd
CVE-2018-18358MEDIUMCVSS 5.7fixed in 71.0.3578.80≥ unspecified, < 71.0.3578.802018-12-11
CVE-2018-18358 [MEDIUM] CWE-20 CVE-2018-18358: Lack of special casing of localhost in WPAD files in Google Chrome prior to 71.0.3578.80 allowed an
Lack of special casing of localhost in WPAD files in Google Chrome prior to 71.0.3578.80 allowed an attacker on the local network segment to proxy resources on localhost via a crafted WPAD file.
nvd
CVE-2018-18357MEDIUMCVSS 4.3fixed in 71.0.3578.80≥ unspecified, < 71.0.3578.802018-12-11
CVE-2018-18357 [MEDIUM] CVE-2018-18357: Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 71.0.3578.80
Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name.
nvd
CVE-2018-18355MEDIUMCVSS 4.3fixed in 71.0.3578.80≥ unspecified, < 71.0.3578.802018-12-11
CVE-2018-18355 [MEDIUM] CVE-2018-18355: Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 71.0.3578.80
Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name.
nvd
CVE-2018-18348MEDIUMCVSS 4.3fixed in 71.0.3578.80≥ unspecified, < 71.0.3578.802018-12-11
CVE-2018-18348 [MEDIUM] CVE-2018-18348: Incorrect handling of bidirectional domain names with RTL characters in Omnibox in Google Chrome pri
Incorrect handling of bidirectional domain names with RTL characters in Omnibox in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name.
nvd
CVE-2018-18350MEDIUMCVSS 6.5fixed in 71.0.3578.80≥ unspecified, < 71.0.3578.802018-12-11
CVE-2018-18350 [MEDIUM] CVE-2018-18350: Incorrect handling of CSP enforcement during navigations in Blink in Google Chrome prior to 71.0.357
Incorrect handling of CSP enforcement during navigations in Blink in Google Chrome prior to 71.0.3578.80 allowed a remote attacker to bypass content security policy via a crafted HTML page.
nvd
CVE-2018-18345MEDIUMCVSS 6.5fixed in 71.0.3578.80≥ unspecified, < 71.0.3578.802018-12-11
CVE-2018-18345 [MEDIUM] CVE-2018-18345: Incorrect handling of blob URLS in Site Isolation in Google Chrome prior to 71.0.3578.80 allowed a r
Incorrect handling of blob URLS in Site Isolation in Google Chrome prior to 71.0.3578.80 allowed a remote attacker who had compromised the renderer process to bypass site isolation protections via a crafted HTML page.
nvd