Filtered by vendor Google
Subscriptions
Filtered by product Android
Subscriptions
Total
9064 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2011-1823 | 1 Google | 1 Android | 2026-04-21 | 7.8 High |
| The vold volume manager daemon on Android 3.0 and 2.x before 2.3.4 trusts messages that are received from a PF_NETLINK socket, which allows local users to execute arbitrary code and gain root privileges via a negative index that bypasses a maximum-only signed integer check in the DirectVolume::handlePartitionAdded method, which triggers memory corruption, as demonstrated by Gingerbreak. | ||||
| CVE-2012-2034 | 8 Adobe, Apple, Google and 5 more | 14 Air, Flash Player, Macos and 11 more | 2026-04-21 | 7.5 High |
| Adobe Flash Player before 10.3.183.20 and 11.x before 11.3.300.257 on Windows and Mac OS X; before 10.3.183.20 and 11.x before 11.2.202.236 on Linux; before 11.1.111.10 on Android 2.x and 3.x; and before 11.1.115.9 on Android 4.x, and Adobe AIR before 3.3.0.3610, allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2012-2037. | ||||
| CVE-2016-5198 | 5 Apple, Google, Linux and 2 more | 9 Macos, Android, Chrome and 6 more | 2026-04-21 | 8.8 High |
| V8 in Google Chrome prior to 54.0.2840.90 for Linux, and 54.0.2840.85 for Android, and 54.0.2840.87 for Windows and Mac included incorrect optimisation assumptions, which allowed a remote attacker to perform arbitrary read/write operations, leading to code execution, via a crafted HTML page. | ||||
| CVE-2017-5030 | 6 Apple, Debian, Google and 3 more | 10 Macos, Debian Linux, Android and 7 more | 2026-04-21 | 8.8 High |
| Incorrect handling of complex species in V8 in Google Chrome prior to 57.0.2987.98 for Linux, Windows, and Mac and 57.0.2987.108 for Android allowed a remote attacker to execute arbitrary code via a crafted HTML page. | ||||
| CVE-2017-5070 | 5 Apple, Google, Linux and 2 more | 9 Macos, Android, Chrome and 6 more | 2026-04-21 | 8.8 High |
| Type confusion in V8 in Google Chrome prior to 59.0.3071.86 for Linux, Windows, and Mac, and 59.0.3071.92 for Android, allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. | ||||
| CVE-2025-11720 | 2 Google, Mozilla | 2 Android, Firefox | 2026-04-20 | 8.1 High |
| The Firefox and Firefox Focus UI for the Android custom tab feature only showed the "site" that was loaded, not the full hostname. User supplied content hosted on a subdomain of a site could have been used to fool a user into thinking it was content from a different subdomain of that site. This vulnerability was fixed in Firefox 144. | ||||
| CVE-2025-11716 | 2 Google, Mozilla | 3 Android, Firefox, Thunderbird | 2026-04-20 | 6.5 Medium |
| Links in a sandboxed iframe could open an external app on Android without the required "allow-" permission. This vulnerability was fixed in Firefox 144 and Thunderbird 144. | ||||
| CVE-2025-0246 | 2 Google, Mozilla | 2 Android, Firefox | 2026-04-20 | 6.5 Medium |
| When using an invalid protocol scheme, an attacker could spoof the address bar. *Note: This issue only affected Android operating systems. Other operating systems are unaffected.* *Note: This issue is a different issue from CVE-2025-0244. This vulnerability was fixed in Firefox 134. | ||||
| CVE-2025-8041 | 2 Google, Mozilla | 2 Android, Firefox | 2026-04-20 | 5.3 Medium |
| In the address bar, Firefox for Android truncated the display of URLs from the end instead of prioritizing the origin. This vulnerability was fixed in Firefox 141. | ||||
| CVE-2025-11717 | 2 Google, Mozilla | 2 Android, Firefox | 2026-04-20 | 9.1 Critical |
| When switching between Android apps using the card carousel Firefox shows a black screen as its card image when a password-related screen was the last one being used. Prior to Firefox 144 the password edit screen was visible. This vulnerability was fixed in Firefox 144. | ||||
| CVE-2025-11718 | 2 Google, Mozilla | 2 Android, Firefox | 2026-04-20 | 6.5 Medium |
| When the address bar was hidden due to scrolling on Android, a malicious page could create a fake address bar to fool the user in response to a visibilitychange event. This vulnerability was fixed in Firefox 144. | ||||
| CVE-2025-6428 | 2 Google, Mozilla | 2 Android, Firefox | 2026-04-20 | 4.3 Medium |
| When a URL was provided in a link querystring parameter, Firefox for Android would follow that URL instead of the correct URL, potentially leading to phishing attacks. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.*. This vulnerability was fixed in Firefox 140. | ||||
| CVE-2025-6431 | 2 Google, Mozilla | 2 Android, Firefox | 2026-04-20 | 6.5 Medium |
| When a link can be opened in an external application, Firefox for Android will, by default, prompt the user before doing so. An attacker could have bypassed this prompt, potentially exposing the user to security vulnerabilities or privacy leaks in external applications. *This bug only affects Firefox for Android. Other versions of Firefox are unaffected.*. This vulnerability was fixed in Firefox 140. | ||||
| CVE-2025-9186 | 2 Google, Mozilla | 2 Android, Firefox | 2026-04-20 | 6.5 Medium |
| Spoofing issue in the Address Bar component of Firefox Focus for Android. This vulnerability was fixed in Firefox 142. | ||||
| CVE-2025-8042 | 2 Google, Mozilla | 2 Android, Firefox | 2026-04-20 | 9.8 Critical |
| Firefox for Android allowed a sandboxed iframe without the `allow-downloads` attribute to start downloads. This vulnerability was fixed in Firefox 141. | ||||
| CVE-2025-8364 | 2 Google, Mozilla | 2 Android, Firefox | 2026-04-20 | 4.3 Medium |
| A crafted URL using a blob: URI could have hidden the true origin of the page, resulting in a potential spoofing attack. *Note: This issue only affected Android operating systems. Other operating systems are unaffected.*. This vulnerability was fixed in Firefox 141. | ||||
| CVE-2026-0017 | 1 Google | 1 Android | 2026-04-18 | 7.7 High |
| In onChange of BiometricService.java, there is a possible way to enable fingerprint unlock due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | ||||
| CVE-2026-22694 | 2 Aliasvault, Google | 2 Aliasvault, Android | 2026-04-18 | 6.1 Medium |
| AliasVault is a privacy-first password manager with built-in email aliasing. AliasVault Android versions 0.24.0 through 0.25.2 contained an issue in how passkey requests from Android apps were validated. Under certain local conditions, a malicious app could attempt to obtain a passkey response for a site it was not authorized to access. The issue involved incomplete validation of calling app identity, origin, and RP ID in the Android credential provider. This issue was fixed in AliasVault Android 0.25.3. | ||||
| CVE-2026-0901 | 4 Apple, Google, Linux and 1 more | 5 Macos, Android, Chrome and 2 more | 2026-04-18 | 5.4 Medium |
| Inappropriate implementation in Blink in Google Chrome on Android prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2026-20415 | 2 Google, Mediatek | 3 Android, Mt6897, Mt6989 | 2026-04-18 | 5.5 Medium |
| In imgsys, there is a possible memory corruption due to improper locking. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10363254; Issue ID: MSV-5617. | ||||