-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 09 Jun 2026 04:00:45 -0400 Source: chromium Architecture: source Version: 149.0.7827.102-1~deb13u1 Distribution: trixie-security Urgency: high Maintainer: Debian Chromium Team Changed-By: Andres Salomon Changes: chromium (149.0.7827.102-1~deb13u1) trixie-security; urgency=high . [ Andres Salomon ] * New upstream security release. - CVE-2026-11628: Use after free in Ozone. Reported by Google. - CVE-2026-11629: Use after free in Ozone. Reported by Google. - CVE-2026-11630: Use after free in File Input. Reported by Google. - CVE-2026-11631: Use after free in Aura. Reported by Google. - CVE-2026-11632: Use after free in TabStrip. Reported by Google. - CVE-2026-11633: Use after free in Bluetooth. Reported by Google. - CVE-2026-11634: Use after free in Gamepad. Reported by Google. - CVE-2026-11635: Use after free in Bluetooth. Reported by Google. - CVE-2026-11636: Use after free in Autofill. Reported by Google. - CVE-2026-11637: Use after free in Views. Reported by Google. - CVE-2026-11638: Use after free in Printing. Reported by Google. - CVE-2026-11639: Use after free in Compositing. Reported by Google. - CVE-2026-11640: Integer overflow in libyuv. Reported by Google. - CVE-2026-11641: Use after free in Bluetooth. Reported by Google. - CVE-2026-11642: Use after free in Web Apps. Reported by Google. - CVE-2026-11643: Use after free in Proxy. Reported by Google. - CVE-2026-11644: Use after free in Views. Reported by Google. - CVE-2026-11645: Out of bounds memory access in V8. Reported by 303f06e3 - CVE-2026-11646: Use after free in ViewTransitions. Reported by Quac Tran. - CVE-2026-11647: Use after free in Printing. Reported by Google. - CVE-2026-11648: Use after free in FullScreen. Reported by Mihnea Nicolau. - CVE-2026-11649: Use after free in V8. Reported by Google. - CVE-2026-11650: Use after free in V8. Reported by Google. - CVE-2026-11651: Use after free in Network. Reported by Google. - CVE-2026-11652: Use after free in Extensions. Reported by Google. - CVE-2026-11653: Insufficient validation of untrusted input in Extensions. Reported by Google. - CVE-2026-11654: Use after free in CameraCapture. Reported by Google. - CVE-2026-11655: Integer overflow in Media. Reported by Google. - CVE-2026-11656: Use after free in ServiceWorker. Reported by Google. - CVE-2026-11657: Use after free in Payments. Reported by Google. - CVE-2026-11658: Insufficient validation of untrusted input in Extensions. Reported by Google. - CVE-2026-11659: Insufficient validation of untrusted input in UI. Reported by Google. - CVE-2026-11660: Insufficient validation of untrusted input in New Tab Page. Reported by Google. - CVE-2026-11661: Use after free in Views. Reported by Google. - CVE-2026-11662: Type Confusion in Bindings. Reported by Google. - CVE-2026-11663: Use after free in Skia. Reported by Google. - CVE-2026-11664: Use after free in Payments. Reported by Google. - CVE-2026-11665: Out of bounds read in Dawn. Reported by Google. - CVE-2026-11666: Insufficient validation of untrusted input in Input. Reported by Google. - CVE-2026-11667: Out of bounds read in WebRTC. Reported by Google. - CVE-2026-11668: Uninitialized Use in Codecs. Reported by Google. - CVE-2026-11669: Integer overflow in Media. Reported by Google. - CVE-2026-11670: Use after free in PDF. Reported by Google. - CVE-2026-11671: Use after free in Navigation. Reported by Google. - CVE-2026-11672: Out of bounds write in GPU. Reported by Google. - CVE-2026-11673: Use after free in InterestGroups. Reported by Google. - CVE-2026-11674: Use after free in Guest View. Reported by Google. - CVE-2026-11675: Insufficient validation of untrusted input in Skia. Reported by Google. - CVE-2026-11676: Insufficient validation of untrusted input in Dawn. Reported by Google. - CVE-2026-11677: Race in Network. Reported by Google. - CVE-2026-11678: Integer overflow in libyuv. Reported by Google. - CVE-2026-11679: Use after free in Codecs. Reported by Google. - CVE-2026-11680: Use after free in Media. Reported by Google. - CVE-2026-11681: Use after free in Ozone. Reported by Google. - CVE-2026-11682: Insufficient validation of untrusted input in Views. Reported by Google. - CVE-2026-11683: Use after free in WebCodecs. Reported by Google. - CVE-2026-11684: Insufficient policy enforcement in Network. Reported by Google. - CVE-2026-11685: Insufficient data validation in MediaCapture. Reported by Google. - CVE-2026-11686: Insufficient validation of untrusted input in Dawn. Reported by Google. - CVE-2026-11687: Use after free in Dawn. Reported by Google. - CVE-2026-11688: Object lifecycle issue in SVG. Reported by Google. - CVE-2026-11689: Insufficient validation of untrusted input in Passwords. Reported by Google. - CVE-2026-11690: Out of bounds read and write in Media. Reported by Google. - CVE-2026-11691: Insufficient validation of untrusted input in New Tab Page. Reported by Google. - CVE-2026-11692: Use after free in Read Anything. Reported by Google. - CVE-2026-11693: Inappropriate implementation in Plugins. Reported by Google. - CVE-2026-11694: Use after free in ServiceWorker. Reported by Google. - CVE-2026-11695: Inappropriate implementation in Passwords. Reported by Google. - CVE-2026-11696: Uninitialized Use in Video. Reported by Google. - CVE-2026-11697: Insufficient validation of untrusted input in UI. Reported by Google. - CVE-2026-11698: Use after free in Bluetooth. Reported by Google. - CVE-2026-11699: Use after free in Bluetooth. Reported by Google. - CVE-2026-11700: Use after free in Tracing. Reported by Google. - CVE-2026-11701: Insufficient validation of untrusted input in Guest View. Reported by Google. * d/patches: - fixes/arm-logging.patch: add patch to hopefully fix build failure on arm*. - loongarch64/0024-fix-libyuv-lsx.patch: refresh. . [ Timothy Pearson ] * d/patches/ppc64le: - 0001-Add-pregenerated-config-for-libaom-on-ppc64.patch: refresh for upstream changes - core/baseline-isa-3-0.patch: refresh Checksums-Sha1: 476470f63a22fc30e9e6e0e91fbe216715f83ed2 4099 chromium_149.0.7827.102-1~deb13u1.dsc af23b283e8e76592011c20ec891b03161567054b 929270484 chromium_149.0.7827.102.orig.tar.xz 5207ccf47cd2a26258302a6dde8712f5712240ef 497276 chromium_149.0.7827.102-1~deb13u1.debian.tar.xz 7a533e9dd18b6850efb739801b751b240374c610 27174 chromium_149.0.7827.102-1~deb13u1_source.buildinfo Checksums-Sha256: 1bb42011ed426e42bac379d1b9ee0d3c162ed0bfec08a1c2fb46cab00a31a646 4099 chromium_149.0.7827.102-1~deb13u1.dsc 57eaea7881f8c6674426982fd7ed0b3165a6c884fbc62f7a782b0321a38c6e01 929270484 chromium_149.0.7827.102.orig.tar.xz 465417875ad8ebadb64175290acf8d4d7cc51380dc02c733634a25e028889a8d 497276 chromium_149.0.7827.102-1~deb13u1.debian.tar.xz f83c247716b65755339bdea89c0f3fc8db7c35e1d9cc145b8f7690e7d8e4d586 27174 chromium_149.0.7827.102-1~deb13u1_source.buildinfo Files: 77ef9edf85f2bb11a75a666480f90794 4099 web optional chromium_149.0.7827.102-1~deb13u1.dsc fe4c454742bc2f18315cc7ebb3cf4f0a 929270484 web optional chromium_149.0.7827.102.orig.tar.xz f73d2debb884aa289eea74d17702f889 497276 web optional chromium_149.0.7827.102-1~deb13u1.debian.tar.xz d21d48cd25b6aef4b2e4f1949f30a9c7 27174 web optional chromium_149.0.7827.102-1~deb13u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJIBAEBCAAyFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmoo8nQUHGRpbGluZ2Vy QGRlYmlhbi5vcmcACgkQZF0CR8NudjdBqA/+JidG+hPHP2LGflSWL575lZjJ8KPx VWMgl6Nh/ihgHY7rP80PfoMTOrFh9WElyBc7RkcgoX8RZsonxFvVvIgEIyz1GEtP dTuhXMsh5Ln2/paiWXxKb3XrZucwBx1PmnUXJCQLYVj7mqL7roBf7E//8yXh0mPb ft0ALll1vYAaaAR7oRhdFH0rWjBexak2SquwRNEOu6Eu2XcDuSopQhGoo+1pPMEG aThVX5ZE9RjSta204M+mPfGd7q5B/TKeKz5ZWgeYGFDqj1ENp6ljAW94Eex9IvL/ lbv9qYVAPhpOqvftSxoaBVTP8C1ewymr9Dtw8UqeV6hURt4Chtdcr6zs9U817tAN gqM5UDbAd7cvzIIVl6yoXqY0ZiEZxhjy0VYcwnRtdg81phghAtqy2XwrxmmTzknu 0CO9IZ7IWl5jB8BR0Y9XgCafyWD8+1/H5qzVvIFcV3WQMN0aRCeAFm21sUrk6MWp BFDuCJ4DRkO3W0DlUChTbxpPY2vBP8eohJY8EJw/eWMEkFNfY3oo1QUg4eUZWhED VJZ6iSSY7j0jQUEIjdmFnBEadSBBbNclGMfAxErcstO/rQCnZ/VAmvPEV0Glr6tH auKVlaynNWINyIrtiQN94arbGtnpwqYlE3eLOrz0UCqefJNZ/6FnWjAeRJDOHi1o n7kw60W0R9t/Dis= =FcM1 -----END PGP SIGNATURE-----