chromium - Debian Package Tracker

general

source: chromium (main)
version: 149.0.7827.155-1
maintainer: Debian Chromium Team (DMD)
uploaders: Andres Salomon [DMD] – Timothy Pearson [DMD] – Daniel Richard G. [DMD]
arch: all amd64 arm64 armhf i386 loong64 ppc64el
std-ver: 4.5.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 120.0.6099.224-1~deb11u1
o-o-sec: 120.0.6099.224-1~deb11u1
oldstable: 147.0.7727.137-1~deb12u1
old-sec: 149.0.7827.155-1~deb12u1
old-p-u: 149.0.7827.155-1~deb12u1
stable: 147.0.7727.137-1~deb13u1
stable-sec: 149.0.7827.155-1~deb13u1
stable-p-u: 149.0.7827.155-1~deb13u1
testing: 149.0.7827.114-1
unstable: 149.0.7827.155-1

versioned links

120.0.6099.224-1~deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
147.0.7727.137-1~deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
147.0.7727.137-1~deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
149.0.7827.114-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
149.0.7827.155-1~deb12u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
149.0.7827.155-1~deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
149.0.7827.155-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

chromium (69 bugs: 1, 38, 30, 0)
chromium-common
chromium-driver
chromium-headless-shell
chromium-l10n
chromium-sandbox
chromium-shell

action needed

33 security issues in forky high

There are 33 open security issues in forky.

33 important issues:

CVE-2026-12437: Use after free in WebShare in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
CVE-2026-12438: Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
CVE-2026-12439: Use after free in Digital Credentials in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
CVE-2026-12440: Use after free in DigitalCredentials in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
CVE-2026-12441: Use after free in File Input in Google Chrome on Linux prior to 149.0.7827.155 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)
CVE-2026-12442: Use after free in Passwords in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
CVE-2026-12443: Use after free in Web Authentication in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical)
CVE-2026-12444: Out of bounds read in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to obtain potentially sensitive information from process memory via a malicious file. (Chromium security severity: High)
CVE-2026-12445: Use after free in Extensions in Google Chrome prior to 149.0.7827.155 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: High)
CVE-2026-12446: Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
CVE-2026-12447: Heap buffer overflow in WebRTC in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
CVE-2026-12448: Inappropriate implementation in WebView in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: High)
CVE-2026-12449: Use after free in Chromoting in Google Chrome on Windows prior to 149.0.7827.155 allowed a local attacker to perform OS-level privilege escalation via a malicious file. (Chromium security severity: High)
CVE-2026-12450: Inappropriate implementation in Media in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
CVE-2026-12451: Use after free in DigitalCredentials in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
CVE-2026-12452: Use after free in Downloads in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CVE-2026-12453: Insufficient validation of untrusted input in Input in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
CVE-2026-12454: Race in Safe Browsing in Google Chrome on Mac prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
CVE-2026-12455: Use after free in Tab Strip in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)
CVE-2026-12456: Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.155 allowed an attacker who convinced a user to install a malicious extension to bypass same origin policy via a crafted Chrome Extension. (Chromium security severity: High)
CVE-2026-12457: Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
CVE-2026-12458: Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
CVE-2026-12459: Inappropriate implementation in Serial in Google Chrome prior to 149.0.7827.155 allowed a remote attacker to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)
CVE-2026-12460: Insufficient policy enforcement in File System Access in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted PDF file. (Chromium security severity: High)
CVE-2026-12461: Out of bounds read in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: High)
CVE-2026-12462: Use after free in Media in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)
CVE-2026-12463: Inappropriate implementation in Views in Google Chrome on Linux prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to inject arbitrary scripts or HTML (UXSS) via a crafted HTML page. (Chromium security severity: High)
CVE-2026-12464: Use after free in Browser in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
CVE-2026-12465: Object lifecycle issue in Metrics in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
CVE-2026-12466: Heap buffer overflow in WebRTC in Google Chrome on Windows prior to 149.0.7827.155 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
CVE-2026-12467: Use after free in Extensions in Google Chrome prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
CVE-2026-12468: Race in Updater in Google Chrome on Mac prior to 149.0.7827.155 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
CVE-2026-12469: Uninitialized Use in GPU in Google Chrome on Android prior to 149.0.7827.155 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Created: 2026-06-17 Last update: 2026-06-19 07:00

lintian reports 16 errors and 3013 warnings high

Lintian reports 16 errors and 3013 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-06-18 Last update: 2026-06-18 23:00

Fails to build during reproducibility testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2026-05-06 Last update: 2026-06-21 18:34

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 2-day delay is over. Check why.

Created: 2026-06-20 Last update: 2026-06-21 18:33

4 bugs tagged help in the BTS normal

The BTS contains 4 bugs tagged help, please consider helping the maintainer in dealing with them.

Created: 2019-03-21 Last update: 2026-06-21 18:30

7 bugs tagged patch in the BTS normal

The BTS contains patches fixing 7 bugs, consider including or untagging them.

Created: 2026-06-02 Last update: 2026-06-21 18:30

4 open merge requests in Salsa normal

There are 4 open merge requests for this package on Salsa. You should consider reviewing and/or merging these merge requests.

Created: 2026-03-08 Last update: 2026-06-17 22:32

RFH: The maintainer is looking for help with this package. normal

The current maintainer is looking for someone who can help with the maintenance of this package. If you are interested in this package, please consider helping out. One way you can help is offer to be a co-maintainer or triage bugs in the BTS. Please see bug number #1016047 for more information.

Created: 2022-07-26 Last update: 2022-07-26 03:32

AppStream hints: 1 warning normal

AppStream found metadata issues for packages:

chromium: 1 warning

You should get rid of them to provide more metadata about this software.

Created: 2020-06-01 Last update: 2020-06-01 01:12

debian/patches: 140 patches to forward upstream low

Among the 144 debian patches available in version 149.0.7827.155-1 of the package, we noticed the following issues:

140 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-06-18 08:00

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.5.0).

Created: 2020-11-17 Last update: 2026-06-18 06:03

testing migrations

excuses:
- Migrates after: gcc-16
- Migration status for chromium (149.0.7827.114-1 to 149.0.7827.155-1): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Autopkgtest for slm/3.0-1: amd64: Pass, arm64: Pass, i386: Pass, loong64: Regression ♻ (reference ♻), ppc64el: No tests, superficial or marked flaky ♻ (reference ♻)
- ∙ ∙ Depends: chromium gcc-16 (not considered)
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/c/chromium.html
- ∙ ∙ Autopkgtest skipped on riscv64: not installable (which is allowed)
- ∙ ∙ Autopkgtest skipped on s390x: not installable (which is allowed)
- ∙ ∙ Reproduced on amd64 - info
- ∙ ∙ Reproduced on arm64 - info
- ∙ ∙ Reproduced on armhf - info
- ∙ ∙ Reproduced on i386 - info
- ∙ ∙ 3 days old (needed 2 days)
- Not considered

news

[rss feed]

[2026-06-19] Accepted chromium 149.0.7827.155-1~deb12u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Andres Salomon)
[2026-06-19] Accepted chromium 149.0.7827.155-1~deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Andres Salomon)
[2026-06-18] Accepted chromium 149.0.7827.155-1~deb12u1 (source) into oldstable-security (Debian FTP Masters) (signed by: Andres Salomon)
[2026-06-18] Accepted chromium 149.0.7827.155-1~deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: Andres Salomon)
[2026-06-17] Accepted chromium 149.0.7827.155-1 (source) into unstable (Andres Salomon)
[2026-06-17] chromium 149.0.7827.114-1 MIGRATED to testing (Debian testing watch)
[2026-06-15] Accepted chromium 149.0.7827.114-1~deb12u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Andres Salomon)
[2026-06-15] Accepted chromium 149.0.7827.114-1~deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Andres Salomon)
[2026-06-13] Accepted chromium 149.0.7827.114-1~deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: Andres Salomon)
[2026-06-13] Accepted chromium 149.0.7827.114-1~deb12u1 (source) into oldstable-security (Debian FTP Masters) (signed by: Andres Salomon)
[2026-06-13] Accepted chromium 149.0.7827.102-1~deb12u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Andres Salomon)
[2026-06-13] Accepted chromium 149.0.7827.53-1~deb12u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Andres Salomon)
[2026-06-13] Accepted chromium 148.0.7778.215-1~deb12u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Andres Salomon)
[2026-06-13] Accepted chromium 149.0.7827.102-1~deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Andres Salomon)
[2026-06-13] Accepted chromium 149.0.7827.53-1~deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Andres Salomon)
[2026-06-13] Accepted chromium 148.0.7778.215-1~deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Andres Salomon)
[2026-06-13] Accepted chromium 149.0.7827.114-1 (source) into unstable (Andres Salomon)
[2026-06-10] Accepted chromium 149.0.7827.102-1~deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: Andres Salomon)
[2026-06-10] Accepted chromium 149.0.7827.102-1~deb12u1 (source) into oldstable-security (Debian FTP Masters) (signed by: Andres Salomon)
[2026-06-09] Accepted chromium 149.0.7827.102-1 (source) into unstable (Andres Salomon)
[2026-06-07] Accepted chromium 149.0.7827.53-1~deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: Andres Salomon)
[2026-06-07] Accepted chromium 149.0.7827.53-1~deb12u1 (source) into oldstable-security (Debian FTP Masters) (signed by: Andres Salomon)
[2026-06-06] Accepted chromium 149.0.7827.53-1 (source) into unstable (Andres Salomon)
[2026-06-02] Accepted chromium 148.0.7778.215-2 (source) into unstable (Juan Manuel Méndez Rey) (signed by: Andres Salomon)
[2026-06-01] Accepted chromium 148.0.7778.215-1~deb12u1 (source) into oldstable-security (Debian FTP Masters) (signed by: Andres Salomon)
[2026-06-01] Accepted chromium 148.0.7778.215-1~deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: Andres Salomon)
[2026-05-30] Accepted chromium 148.0.7778.215-1 (source) into unstable (Andres Salomon)
[2026-05-23] chromium 148.0.7778.178-1 MIGRATED to testing (Debian testing watch)
[2026-05-22] Accepted chromium 148.0.7778.178-1~deb12u1 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Andres Salomon)
[2026-05-22] Accepted chromium 148.0.7778.178-1~deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Andres Salomon)

bugs [bug history graph]

all: 80 86
RC: 1
I&N: 41 43
M&W: 38 42
F&P: 0
patch: 7
help: 4

links

homepage
lintian (16, 3013)
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker
screenshots
debian patches