[TLP:CLEAR]
bollettino di sicurezza 95/2026
Aggiornamenti Google Chrome
31-03-2026
chrome, use-after-free, buffer-overflow, exploit, dawn
descrizione
Il bollettino segnala 21 vulnerabilità corrette in Chrome, tra cui molte di tipo use after free, heap buffer overflow, integer overflow e out of bounds read. Le vulnerabilità più gravi includono:- CVE-2026-5281 (use after free in Dawn, exploit in the wild)
- CVE-2026-5273 (use after free in CSS)
- CVE-2026-5272 (heap buffer overflow in GPU)
- CVE-2026-5274 (integer overflow in Codecs)
- CVE-2026-5275 (heap buffer overflow in ANGLE)
- CVE-2026-5276 (insufficient policy enforcement in WebUSB)
- CVE-2026-5277 (integer overflow in ANGLE)
- CVE-2026-5278 (use after free in Web MIDI)
- CVE-2026-5279 (object corruption in V8)
- CVE-2026-5280 (use after free in WebCodecs)
- CVE-2026-5282 (out of bounds read in WebCodecs)
- CVE-2026-5283 (inappropriate implementation in ANGLE)
- CVE-2026-5284 (use after free in Dawn)
- CVE-2026-5285 (use after free in WebGL)
- CVE-2026-5286 (use after free in Dawn)
- CVE-2026-5287 (use after free in PDF)
- CVE-2026-5288 (use after free in WebView)
- CVE-2026-
note
L'aggiornamento interessa Chrome per Windows, Mac e Linux. Le vulnerabilità impattano componenti critici come CSS, GPU, ANGLE, WebUSB, Web MIDI, V8, WebCodecs, Dawn, WebGL, PDF, WebView, Navigation e Compositing. Google conferma la presenza di exploit attivi per CVE-2026-5281 (use after free in Dawn). Non sono riportate mitigazioni o workaround specifici nel bollettino. Si raccomanda l'aggiornamento immediato di tutti i sistemi e il monitoraggio di eventuali anomalie nei componenti menzionati. Priorità tecnica elevata per la presenza di exploit in the wild.CVE
| CVE | CVSS-3.1 | CVSS-4.0 | EPSS |
|---|---|---|---|
| CVE-2026-5288 | 10.0 | -- | 0.063% | 19.56% |
| CVE-2026-5289 | 10.0 | -- | 0.068% | 21.00% |
| CVE-2026-5290 | 10.0 | -- | 0.068% | 21.00% |
| CVE-2026-5272 | 9.0 | -- | 0.025% | 6.80% |
| CVE-2026-5274 | 9.0 | -- | 0.068% | 21.00% |
| CVE-2026-5275 | 9.0 | -- | 0.072% | 21.93% |
| CVE-2026-5278 | 9.0 | -- | 0.071% | 21.78% |
| CVE-2026-5279 | 9.0 | -- | 0.080% | 23.75% |
| CVE-2026-5280 | 9.0 | -- | 0.071% | 21.78% |
| CVE-2026-5281 | 9.0 | -- | 3.278% | 87.17% |
| CVE-2026-5285 | 9.0 | -- | 0.071% | 21.78% |
| CVE-2026-5286 | 9.0 | -- | 0.080% | 23.75% |
| CVE-2026-5287 | 9.0 | -- | 0.080% | 23.75% |
| CVE-2026-5292 | 9.0 | -- | 0.063% | 19.56% |
| CVE-2026-5277 | 8.0 | -- | 0.086% | 24.77% |
| CVE-2026-5282 | 8.0 | -- | 0.063% | 19.56% |
| CVE-2026-5284 | 8.0 | -- | 0.080% | 23.75% |
| CVE-2026-5276 | 7.0 | -- | 0.045% | 13.84% |
| CVE-2026-5283 | 7.0 | -- | 0.014% | 2.53% |
| CVE-2026-5291 | 7.0 | -- | 0.026% | 7.12% |
| CVE-2026-5273 | 6.0 | -- | 0.065% | 20.16% |
tipi di attacco
| CWE | descrizione |
|---|---|
| CWE-122 | Heap-based Buffer Overflow |
| CWE-416 | Use After Free |
| CWE-472 | External Control of Assumed-Immutable Web Parameter |
| CWE-693 | Protection Mechanism Failure |
| CWE-120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
| CWE-125 | Out-of-bounds Read |
| CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
prodotti impattati
| vendor | prodotto & versioni |
|---|---|
chrome
|