Chrome's 2026 CVE Spike: Is Agentic the Reason?
Chrome runs on roughly 65% of the world’s browsers. CVE counts for 2021–2025 were on a steady downward trend — then 2026 broke the pattern sharply. I scraped five years of data from the Chrome Releases blog and the Chromium Dash API to see what’s behind it.
This post was generated by AI. The analysis was done for business purposes and the data is shared here as it may be useful to others. Data covers Stable Linux releases, Jan 2021–Jun 2026. CVE severity is extracted from blog post HTML and may undercount — treat as directional. CVE counts include all platforms, not just Linux.
Background: Release Cadence
Chrome switched from a 6-week to a 4-week major release cycle with M94 in September 2021. Average days between security-focused updates: 11.2 (2021) → 4.1 (2026).
| Year | Stable Releases | Security Releases | Avg Days Between | Milestones |
|---|---|---|---|---|
| 2021 | 33 | 31 (8.1%) | 11.2 | 87–96 |
| 2022 | 37 | 63 (12.0%) | 6.4 | 97–108 |
| 2023 | 44 | 71 (13.0%) | 5.6 | 109–120 |
| 2024 | 53 | 83 (14.3%) | 5.1 | 120–131 |
| 2025 | 50 | 81 (14.6%) | 5.1 | 131–143 |
| 2026 | 28 | 48 (16.5%) | 4.1 | 143–149 (Jan–Jun) |
The CVE Trend Break
CVE counts per security release were declining steadily from 2021 to 2025. Then 2026:
| Year | Total CVEs | Avg CVEs / Security Release |
|---|---|---|
| 2021 | 353 | 11.4 |
| 2022 | 562 | 8.9 |
| 2023 | 450 | 6.3 |
| 2024 | 420 | 5.1 |
| 2025 | 381 | 4.7 |
| 2026 | 1,589 | 33.1 (6 months) |
The monthly breakdown shows this isn’t a single outlier patch — it’s an acceleration across the quarter:
| Month | Sec Releases | CVEs | Critical | High | Medium | Low |
|---|---|---|---|---|---|---|
| Jan | 7 | 41 | 0 | 10 | 5 | 2 |
| Feb | 8 | 52 | 0 | 9 | 3 | 0 |
| Mar | 12 | 130 | 0 | 8 | 0 | 0 |
| Apr | 8 | 232 | 12 | 77 | 30 | 24 |
| May | 7 | 547 | 48 | 273 | 181 | 42 |
| Jun* | 6 | 587 | 63 | 199 | 230 | 94 |
June through June 13 (~half the month).
Jan–Mar averaged 74 CVEs/month. Apr–Jun is averaging ~455 CVEs/month — a 6× step-up within one quarter.
What Changed
The vulnerability type mix shifted alongside the volume increase. The all-time breakdown (2021–2026):
| Vulnerability Type | Count | Share |
|---|---|---|
| Use after free | 1,220 | 32% |
| Other / unclassified | 715 | 19% |
| Inappropriate implementation | 517 | 14% |
| Out of bounds read/write | 278 | 7% |
| Heap buffer overflow | 226 | 6% |
| Insufficient validation | 208 | 6% |
| Insufficient policy enforcement | 189 | 5% |
| Type confusion | 171 | 5% |
| Integer overflow | 88 | 2% |
| Incorrect security UI | 61 | 2% |
In early 2026 (Jan–Mar), the dominant types were “Inappropriate implementation” and unclassified. From April onward, “Insufficient validation” surged — 110 CVEs in the first half of June alone. UAF, which has always led the charts, roughly tripled in volume from its 2025 rate.
The June 12 patch (M149) is the largest single update in this dataset: 17 Critical CVEs across Ozone, Views, TabStrip, FileSystem, Printing, Chromoting, GPU, and libyuv. Ozone alone accounts for at least five distinct Critical CVEs since April.
Notably, the number of security releases hasn’t increased proportionally — from 81 in all of 2025 to ~96 projected for 2026. It’s CVEs per release that jumped, from 4.7 to 33.1. More bugs are being found per audit cycle, not just more audit cycles.
One open question: is improved LLM and agentic tooling in security research responsible for the volume increase? AI-assisted fuzzing and automated code analysis have advanced considerably in the past year, and UAF bugs in C++ are exactly the class these tools are well-suited to surface at scale. The data doesn’t answer this — but the timing and the type distribution are consistent with the hypothesis.
EoY 2026 Projection
| Scenario | Basis | Est. Full-Year CVEs | Est. Security Releases |
|---|---|---|---|
| Conservative | Jan–May rate (~200/mo) | ~2,400 | ~100 |
| Trend-based | Apr–Jun rate (~455/mo) | ~3,900 | ~100 |
Stable Linux releases are on track for ~54–56 for the full year (2025: 50).
Sources: Chromium Dash API, Chrome Releases Blog RSS.