Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted chromium 148.0.7778.167-1 (source) into unstable
Date: Thu, 14 May 2026 21:09:03 +0000
Signed by: Andres Salomon <dilinger@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 14 May 2026 16:39:29 -0400
Source: chromium
Architecture: source
Version: 148.0.7778.167-1
Distribution: unstable
Urgency: high
Maintainer: Debian Chromium Team <chromium@packages.debian.org>
Changed-By: Andres Salomon <dilinger@debian.org>
Changes:
 chromium (148.0.7778.167-1) unstable; urgency=high
 .
   [ Andres Salomon ]
   * New upstream security release.
     - CVE-2026-8509: Heap buffer overflow in WebML.
       Reported by c6eed09fc8b174b0f3eebedcceb1e792.
     - CVE-2026-8510: Integer overflow in Skia. Reported by q@calif.io.
     - CVE-2026-8511: Use after free in UI. Reported by Google.
     - CVE-2026-8512: Use after free in FileSystem. Reported by Google.
     - CVE-2026-8513: Use after free in Input. Reported by Google.
     - CVE-2026-8514: Use after free in Aura. Reported by Google.
     - CVE-2026-8515: Use after free in HID. Reported by Google.
     - CVE-2026-8516: Insufficient validation of untrusted input in
       DataTransfer. Reported by Google.
     - CVE-2026-8517: Object lifecycle issue in WebShare. Reported by Google.
     - CVE-2026-8518: Use after free in Blink. Reported by Google.
     - CVE-2026-8519: Integer overflow in ANGLE. Reported by Google.
     - CVE-2026-8520: Race in Payments. Reported by Google.
     - CVE-2026-8521: Use after free in Tab Groups. Reported by Google.
     - CVE-2026-8522: Use after free in Downloads. Reported by Google.
     - CVE-2026-8523: Use after free in Mojo.
       Reported by Paul Seekamp / nullenc0de.
     - CVE-2026-8558: Out of bounds write in Fonts. Reported by Matej Smycka.
     - CVE-2026-8524: Out of bounds write in WebAudio.
       Reported by Brendan Dolan-Gavitt, XBOW.
     - CVE-2026-8525: Heap buffer overflow in ANGLE.
       Reported by Nathaniel Oh (@calysteon).
     - CVE-2026-8526: Out of bounds write in WebRTC.
       Reported by c6eed09fc8b174b0f3eebedcceb1e792.
     - CVE-2026-8527: Insufficient validation of untrusted input in Downloads.
       Reported by rachmat.abdul.ro.
     - CVE-2026-8528: Insufficient validation of untrusted input in
       SiteIsolation. Reported by Google.
     - CVE-2026-8529: Heap buffer overflow in Codecs. Reported by Google.
     - CVE-2026-8530: Use after free in Network. Reported by Google.
     - CVE-2026-8531: Heap buffer overflow in WebML. Reported by Syn4pse.
     - CVE-2026-8532: Integer overflow in XML. Reported by Google.
     - CVE-2026-8533: Use after free in Accessibility. Reported by Google.
     - CVE-2026-8534: Integer overflow in GPU. Reported by Google.
     - CVE-2026-8535: Out of bounds read in Media. Reported by Google.
     - CVE-2026-8536: Insufficient validation of untrusted input in
       ReadingMode. Reported by Google.
     - CVE-2026-8537: Insufficient policy enforcement in ViewTransitions.
       Reported by Google.
     - CVE-2026-8538: Insufficient validation of untrusted input in GPU.
       Reported by Google.
     - CVE-2026-8539: Script injection in SanitizerAPI.
       Reported by Jungwoo Lee (@physicube) and Wongi Lee (@_qwerty_po).
     - CVE-2026-8540: Type Confusion in V8. Reported by Google.
     - CVE-2026-8541: Out of bounds read in UI. Reported by Google.
     - CVE-2026-8542: Use after free in Core. Reported by Google.
     - CVE-2026-8543: Out of bounds read in FileSystem. Reported by Google.
     - CVE-2026-8544: Use after free in Media. Reported by Google.
     - CVE-2026-8545: Object corruption in Compositing. Reported by Google.
     - CVE-2026-8546: Out of bounds read in GPU. Reported by Google.
     - CVE-2026-8547: Insufficient policy enforcement in Passwords.
       Reported by Google.
     - CVE-2026-8548: Out of bounds write in Media. Reported by Google.
     - CVE-2026-8549: Use after free in Media. Reported by Google.
     - CVE-2026-8550: Use after free in Google Lens. Reported by Google.
     - CVE-2026-8551: Use after free in Downloads. Reported by Google.
     - CVE-2026-8552: Heap buffer overflow in GPU. Reported by Google.
     - CVE-2026-8553: Use after free in GPU. Reported by Google.
     - CVE-2026-8554: Type Confusion in ANGLE. Reported by Google.
     - CVE-2026-8555: Use after free in GTK. Reported by Google.
     - CVE-2026-8556: Inappropriate implementation in ANGLE. Reported by Google
     - CVE-2026-8557: Use after free in Accessibility. Reported by Google.
     - CVE-2026-8559: Integer overflow in Internationalization.
       Reported by Google.
     - CVE-2026-8560: Heap buffer overflow in SwiftShader.
       Reported by Cassidy Kim(@cassidy6564).
     - CVE-2026-8561: Incorrect security UI in Fullscreen. Reported by
       Wolfgang Ettlinger (aff. Certitude Consulting GmbH) Alexander Hurbean
       (aff. Certitude Consulting GmbH).
     - CVE-2026-8562: Side-channel information leakage in Navigation.
       Reported by Google.
     - CVE-2026-8563: Insufficient policy enforcement in IFrame Sandbox.
       Reported by Luan Herrera (@lbherrera_).
     - CVE-2026-8564: Incorrect security UI in Downloads.
       Reported by Alesandro Ortiz https://AlesandroOrtiz.com.
     - CVE-2026-8565: Inappropriate implementation in Downloads.
       Reported by Farras Givari.
     - CVE-2026-8566: Insufficient policy enforcement in Payments.
       Reported by Jorian Woltjer.
     - CVE-2026-8567: Integer overflow in ANGLE. Reported by cinzinga.
     - CVE-2026-8568: Insufficient policy enforcement in AI.
       Reported by Tianyi Hu.
     - CVE-2026-8569: Out of bounds write in Codecs. Reported by Google.
     - CVE-2026-8570: Type Confusion in V8. Reported by Google.
     - CVE-2026-8571: Insufficient policy enforcement in GPU.
       Reported by Mark Blaszczyk.
     - CVE-2026-8572: Insufficient policy enforcement in Network.
       Reported by Google.
     - CVE-2026-8573: Integer overflow in Codecs. Reported by Google.
     - CVE-2026-8574: Use after free in Core. Reported by Google.
     - CVE-2026-8575: Use after free in UI. Reported by Google.
     - CVE-2026-8576: Inappropriate implementation in CORS. Reported by Google
     - CVE-2026-8577: Integer overflow in Fonts. Reported by Google.
     - CVE-2026-8578: Out of bounds read in GPU. Reported by Google.
     - CVE-2026-8579: Insufficient validation of untrusted input in Skia.
       Reported by Google.
     - CVE-2026-8580: Use after free in Mojo. Reported by Google.
     - CVE-2026-8581: Use after free in GPU. Reported by Google.
     - CVE-2026-8582: Object lifecycle issue in Dawn. Reported by Google.
     - CVE-2026-8583: Insufficient policy enforcement in WebXR.
       Reported by Google.
     - CVE-2026-8584: Inappropriate implementation in Views. Reported by Google
     - CVE-2026-8585: Inappropriate implementation in Media. Reported by Google
     - CVE-2026-8586: Inappropriate implementation in Chromoting.
       Reported by Google.
     - CVE-2026-8587: Use after free in Extensions.
       Reported by zh1x1an1221 of Ant Group Tianqiong Security Lab.
   * rust-1.85/file_as_c_str.patch: fix build on non-x86 archs, as char*
     signed-ness is apparently different there versus arm & ppc64 [trixie,
     bookworm].
Checksums-Sha1:
 8f0266a611223b06fb02eb29de4fb993a1d3b8c1 4079 chromium_148.0.7778.167-1.dsc
 1ce8e6516d62190f97ba688b4ff4d0411add81c7 900734916 chromium_148.0.7778.167.orig.tar.xz
 ad40105160bb786514b5ee27d000fc9daf666277 486468 chromium_148.0.7778.167-1.debian.tar.xz
 fba972d0ca8065404144aed8b519baf4062bce5b 28053 chromium_148.0.7778.167-1_source.buildinfo
Checksums-Sha256:
 fade6bdcffeafccd4b3a247d3155ac43e8e25a0c54dace1f58ff457245f01d27 4079 chromium_148.0.7778.167-1.dsc
 82f42e6c4ef729654ed806192fd49fa750f810cfe6f18651c76110eeb50750be 900734916 chromium_148.0.7778.167.orig.tar.xz
 83caca8e83b3368f62e159334ce731f7e7e36f7ef7031a5aef41a33b06f44692 486468 chromium_148.0.7778.167-1.debian.tar.xz
 737b9e9a4502d2f8d394ddbaa95ed2ca4797fb3a912ef353634385308c4cafd5 28053 chromium_148.0.7778.167-1_source.buildinfo
Files:
 f1792280ab3437f237fc1c8c427d23a1 4079 web optional chromium_148.0.7778.167-1.dsc
 b193e9b383a121afb04f22210aba1d8b 900734916 web optional chromium_148.0.7778.167.orig.tar.xz
 a0521b8629a089a503f372104c095751 486468 web optional chromium_148.0.7778.167-1.debian.tar.xz
 5bf5b49c5b27682b2df448e3acd58424 28053 web optional chromium_148.0.7778.167-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCAAyFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmoGND0UHGRpbGluZ2Vy
QGRlYmlhbi5vcmcACgkQZF0CR8NudjfB2g/8DHn/9+FzBrXdmH7mwWGG+5Ovby6O
XuU6TFMCbK4gCB5JPYOSOiTiGT3GXvACtVZ+PunvwjXB4tBjjI+70Q4NvgbxoG6a
zmL5DVLjVoiV5umW1Ilr4uK2qTvm6B5MkeyFP9aDcUlnRNo0f5QCvUJzhZhbhNNH
AJySFgD2C/PfW4sq2KabbEYiaP6plbuTPBJy1om8wqbzcclW47IMjtWq50P5pAmd
9mAKBhQLbmCoze69oS3quOEp/iTthYjwXwcLxlUUUp6j+IkGgDwTYeua3piUcNsi
Po5+U7H0g6Z0Mq2hGGJ5PYxoqj4h2UdjiC/Q2w0xzXX1sRwZvC9mAEhbSIlgGhY3
u8yjf3AopLj32ZJ6/uXp04b6EfXj0Rhu+XS1acUl7m1jeDgrPuxbLgQOtsOezWUt
97S4pW8Q6P+SW+MOLWr9W/gp93ujLLbDW+11yz55LQMVdbJuPPeZYGlSXLYAF9Dp
99yFJMkCLFqxRkNfi0JBPEV01kNFdn+QUgr2cmDe0pG+4oGJkx12URw2oAZ5xVI6
FYgEIx6iABfIKxF5ZtF2V1peFZSfV9yh9beVfpOMKm5kmVM9vaY2hkR+OW74f/j/
Eq9oPAvBwWFiDm0Rs7PbM+xDuUqgomo+bWFlqvL6zg2HbvK622/B0R8q3yJ1sClp
ecRvtR1OhjYTrno=
=e788
-----END PGP SIGNATURE-----
News for package chromium
