COOEY // HUBcompliance · community · intelligence

FAIL › dossier

Google company FedRAMP market

FedRAMP provider · · dossier confidence 20%

Google Chrome is currently under active exploitation due to a cluster of critical sandbox escape and RCE vulnerabilities in core components like V8 and Skia, with multiple patches released in July 2026 to address these high-risk flaws.

16
failure events
0
zero-days
4
RCEs
4
on KEV
12
critical
85
worst shame

Profile

Category
Technology Vendor
What they do
Google is a multinational technology company that develops and provides various internet-based services and products, including the Chrome web browser.
Website
https://www.google.com

Security posture

Google demonstrates a reactive security posture with a high volume of critical and high-severity vulnerabilities in Chrome, particularly involving sandbox escape and use-after-free flaws in core components like V8, Skia, and ANGLE.

Notable failures
  • CVE-2026-14104: Critical RCE in WebAppInstalls
  • CVE-2026-13782: Critical Sandbox Escape in Browser
  • CVE-2026-13781: Critical Sandbox Escape in Skia
  • CVE-2026-13776: Critical Sandbox Escape in Dawn
  • CVE-2026-13775: Critical Sandbox Escape in GPU
  • CVE-2026-11720: Critical Path Traversal in googleapis/mcp-toolbox
Patterns
Repeated unpatched edge-device RCEs; Sandbox escape via renderer process compromise; Use-after-free vulnerabilities in core rendering components

Failure history 16 events

DateEventSevFlagsShameSummary
2026-03-13 CVE-2026-3910 high ⚡RCE ⌖KEV 85 Google Chromium V8 allows remote code execution via crafted HTML pages, enabling attackers to bypass sandbox protections.
2026-06-09 CVE-2026-11645 high ⚡RCE ⌖KEV 65 Google Chromium V8 allows remote code execution via crafted HTML pages, enabling sandbox escape and arbitrary code execution.
2026-06-30 CVE-2026-14104 critical ⚡RCE 50 Insufficient validation of untrusted input in WebAppInstalls in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Low)
2026-04-01 CVE-2026-5281 high ⚡RCE ⌖KEV 45 Google Dawn (Chrome/Edge/Opera) use-after-free vulnerability enables remote code execution via crafted HTML.
2026-03-13 CVE-2026-3909 high ⌖KEV 45 Google Skia contains an actively exploited out-of-bounds write vulnerability enabling remote memory access via crafted HTML.
2026-06-30 CVE-2026-13782 critical 35 Use after free in Browser in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
2026-06-30 CVE-2026-13781 critical 35 Insufficient validation of untrusted input in Skia in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
2026-06-30 CVE-2026-14120 critical 35 Inappropriate implementation in DevTools in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)
2026-06-30 CVE-2026-13776 critical 35 Type Confusion in Dawn in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
2026-06-30 CVE-2026-13775 critical 35 Use after free in GPU in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
2026-06-30 CVE-2026-13780 critical 35 Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
2026-06-30 CVE-2026-14109 critical 35 Insufficient policy enforcement in Mojo in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)
2026-06-30 CVE-2026-14106 critical 35 Insufficient validation of untrusted input in Text in Google Chrome on Android prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)
2026-06-30 CVE-2026-14101 critical 35 Insufficient policy enforcement in Sandbox in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Low)
2026-06-30 CVE-2026-13785 critical 35 Use after free in Bluetooth in Google Chrome on Mac prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
2026-06-29 CVE-2026-11720 critical 35 A path traversal vulnerability exists in the HTTP tool URL builder of googleapis/mcp-toolbox. When constructing downstream API requests, the URL builder substitutes user-controlled pathParams into the configured tool path and parses the resulting string as a relative URL. While

FedRAMP catalog products 2

ProductStatusImpact
Google Services (Google Cloud Platform Products and underlying Infrastructure) Authorized High
Google Workspace Authorized High

Dossier sources

Open questions: Google's remediation timeline for critical vulnerabilities · Impact of these vulnerabilities on CMMC compliance