Microsoft Discloses Chromium V8 Use-After-Free and Heap Buffer Overflow Flaws
Microsoft published security advisories for two vulnerabilities affecting separate components: CVE-2026-5861, a use-after-free flaw in Chromium's V8 JavaScript engine, and CVE-2026-31789, a heap buffer overflow in hexadecimal conversion logic. The advisories were released through Microsoft's Security Update Guide and identify memory-safety issues that could expose affected software to instability or potential code-execution scenarios depending on how the vulnerable components are reached.
The disclosures highlight continued risk from low-level memory corruption bugs in widely used software components, particularly browser engine code and data-conversion routines. Microsoft did not provide detailed public synopses in the referenced advisories, but the vulnerability classifications indicate that organizations should prioritize patch review and deployment for products that incorporate the affected Chromium and Microsoft code paths.
Timeline
Apr 9, 2026
Microsoft publishes advisory for CVE-2026-31789
Microsoft added CVE-2026-31789 to its Security Update Guide, describing it as a heap buffer overflow in hexadecimal conversion.
Jan 1, 2026
Microsoft publishes advisory for CVE-2026-5861
Microsoft added CVE-2026-5861 to its Security Update Guide, identifying it as a Chromium V8 use-after-free vulnerability.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
Microsoft Ships Chromium Fixes for Multiple Memory Safety Flaws in Edge
Microsoft published security advisories for a broad set of Chromium vulnerabilities affecting its browser platform, including `CVE-2026-7344` (use-after-free in Accessibility), `CVE-2026-7341` (use-after-free in WebRTC), `CVE-2026-7353` (heap buffer overflow in Skia), and `CVE-2026-7337` (type confusion in V8). Additional flaws patched include use-after-free bugs in Views, Media, GPU, Cast, and Navigation, along with insufficient validation of untrusted input in Compositing and an inappropriate implementation issue in Tint. The volume and variety of bugs indicate a significant browser security update focused on memory-safety and input-handling weaknesses in Chromium components commonly exposed through web content. Microsoft also listed `CVE-2026-31682`, a separate issue tied to `br_nd_send` and Neighbor Discovery option parsing, but the main body of advisories centers on Chromium-derived fixes that organizations should prioritize across Microsoft Edge deployments to reduce risk from malicious websites and crafted content.
4 days ago
Microsoft Flags Multiple Chromium Memory-Safety Flaws in Security Update Guide
Microsoft published Security Update Guide entries for a broad set of **Chromium** vulnerabilities affecting browser components including **WebRTC, ANGLE, Network, Navigation, Blink, Base, V8, Skia,** and **WebAudio**. The listed issues include multiple `use-after-free` bugs such as `CVE-2026-4445`, `CVE-2026-4454`, `CVE-2026-4449`, and `CVE-2026-4441`, as well as a `heap buffer overflow` in `ANGLE` (`CVE-2026-4448`), a `heap buffer overflow` in `WebAudio` (`CVE-2026-4443`), an `out-of-bounds read` in `Skia` (`CVE-2026-4460`), `insufficient validation of untrusted input` in `Navigation` (`CVE-2026-4451`), and an `inappropriate implementation` flaw in `V8` (`CVE-2026-4461`). The same set of advisories also included non-Chromium entries tied to lower-level platform components: `CVE-2026-4438` for `gethostbyaddr` and `gethostbyaddr_r` returning invalid DNS hostnames, `CVE-2025-71267` for an `ntfs3` infinite loop triggered by a zero-sized `ATTR_LIST`, and `CVE-2026-23233` for an `f2fs` fix to avoid mapping the wrong physical block for a swapfile. Together, the disclosures show Microsoft tracking both browser-engine memory-corruption risks and underlying filesystem and networking defects through its update pipeline.
1 months ago
Microsoft Chromium Updates Address Blink Use-After-Free and History Navigation UI Flaw
Microsoft published security advisories for two Chromium vulnerabilities affecting browser security components: **CVE-2026-5872**, a **use-after-free in Blink**, and **CVE-2026-5899**, an **incorrect security UI issue in History Navigation**. The flaws were listed in Microsoft's Security Update Guide as Chromium-related issues, indicating they affect browser code relied on by Microsoft products built on the Chromium engine. The Blink memory-safety bug could expose users to instability or potential exploitation scenarios typical of use-after-free vulnerabilities, while the History Navigation flaw involves incorrect security indicators that could mislead users about page state or trust signals during navigation. Organizations using Microsoft browsers or platforms that incorporate Chromium components should review the relevant advisories and apply the associated security updates through normal patch management processes.
3 weeks ago