-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 29 Apr 2026 04:36:38 -0400
Source: chromium
Architecture: source
Version: 147.0.7727.137-1~deb13u1
Distribution: trixie-security
Urgency: high
Maintainer: Debian Chromium Team <chromium@packages.debian.org>
Changed-By: Andres Salomon <dilinger@debian.org>
Closes: 1052440
Changes:
 chromium (147.0.7727.137-1~deb13u1) trixie-security; urgency=high
 .
   [ Andres Salomon ]
   * New upstream security release.
     - CVE-2026-7363: Use after free in Canvas. Reported by heapracer.
     - CVE-2026-7361: Use after free in iOS. Reported by Google.
     - CVE-2026-7344: Use after free in Accessibility. Reported by Google.
     - CVE-2026-7343: Use after free in Views. Reported by Google.
     - CVE-2026-7333: Use after free in GPU.
       Reported by c6eed09fc8b174b0f3eebedcceb1e792.
     - CVE-2026-7360: Insufficient validation of untrusted input in Compositing.
       Reported by Google.
     - CVE-2026-7359: Use after free in ANGLE. Reported by Google.
     - CVE-2026-7358: Use after free in Animation. Reported by Google.
     - CVE-2026-7334: Use after free in Views. Reported by Batuhan Eşref KOÇ.
     - CVE-2026-7357: Use after free in GPU. Reported by Google.
     - CVE-2026-7356: Use after free in Navigation. Reported by Google.
     - CVE-2026-7354: Out of bounds read and write in Angle. Reported by Google.
     - CVE-2026-7353: Heap buffer overflow in Skia. Reported by Google.
     - CVE-2026-7352: Use after free in Media. Reported by Google.
     - CVE-2026-7351: Race in MHTML. Reported by Google.
     - CVE-2026-7350: Use after free in WebMIDI. Reported by Google.
     - CVE-2026-7349: Use after free in Cast. Reported by Google.
     - CVE-2026-7348: Use after free in Codecs. Reported by Google.
     - CVE-2026-7335: Use after free in media.
       Reported by Jungwoo Lee (@physicube) and Wongi Lee (@_qwerty_po).
     - CVE-2026-7336: Use after free in WebRTC. Reported by Mozilla.
     - CVE-2026-7337: Type Confusion in V8. Reported by q@calif.io.
     - CVE-2026-7347: Use after free in Chromoting. Reported by Google.
     - CVE-2026-7346: Inappropriate implementation in Tint. Reported by Google.
     - CVE-2026-7345: Insufficient validation of untrusted input in Feedback.
       Reported by Google.
     - CVE-2026-7338: Use after free in Cast. Reported by Krace.
     - CVE-2026-7342: Use after free in WebView. Reported by Google.
     - CVE-2026-7341: Use after free in WebRTC. Reported by Google.
     - CVE-2026-7339: Heap buffer overflow in WebRTC.
       Reported by c6eed09fc8b174b0f3eebedcceb1e792.
     - CVE-2026-7340: Integer overflow in ANGLE.
       Reported by 86ac1f1587b71893ed2ad792cd7dde32.
     - CVE-2026-7355: Use after free in Media. Reported by Google.
 .
   [ Jianfeng Liu ]
   * d/patches:
     - upstream/Fix-GL-native-pixmap-import-support-reset-in-GpuInit.patch:
       Fixes upstream issue https://crbug.com/501115509. This issue is
       introduced in v147, and unfortunately the fix won't get into v147. This
       issue affects both vaapi and v4l2 decoding under ozone wayland.
     - fixes/enable-widevine-on-arm64-linux-platform.patch: Enable widevine
       support on arm64. There is no official support for widevine on arm64
       linux while there are libwidevine binaries extracted from chromeos,
       which can work on linux (closes: #1052440).
Checksums-Sha1:
 aa2865b1e56a6aaa7434b563249a853da1976514 4099 chromium_147.0.7727.137-1~deb13u1.dsc
 0916bd66a6ae05ad5a1dff42a960c56d29c29aee 787224144 chromium_147.0.7727.137.orig.tar.xz
 bc7a60787ac21b014b5589aa91780d0406f56b2b 481420 chromium_147.0.7727.137-1~deb13u1.debian.tar.xz
 fa869cad2baa120759a5bee6a484ba8afc16bd38 26835 chromium_147.0.7727.137-1~deb13u1_source.buildinfo
Checksums-Sha256:
 508831513764e5f53613c8f38b91867063483f01e26577e446e1e3c8bd6957c4 4099 chromium_147.0.7727.137-1~deb13u1.dsc
 f186528758c082ec3b25992677633918cd0012436613c04da0f62a613063ac51 787224144 chromium_147.0.7727.137.orig.tar.xz
 2d933d4fa98157ec58fb83415e9d05571429238c720154d3d43b534175daee56 481420 chromium_147.0.7727.137-1~deb13u1.debian.tar.xz
 772e6fb784ee63f29a00a0ab0c662aad746b091644edd736160ff37906478e19 26835 chromium_147.0.7727.137-1~deb13u1_source.buildinfo
Files:
 51b4ffd3294502766390a0cf39fee628 4099 web optional chromium_147.0.7727.137-1~deb13u1.dsc
 950fb971a06c30b674b09620be44fc38 787224144 web optional chromium_147.0.7727.137.orig.tar.xz
 a6846b09f751ed41b85bb8c0bc3fd6d6 481420 web optional chromium_147.0.7727.137-1~deb13u1.debian.tar.xz
 9b039c220f8b9825bc1c67eba4bd697c 26835 web optional chromium_147.0.7727.137-1~deb13u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCAAyFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmnzcgMUHGRpbGluZ2Vy
QGRlYmlhbi5vcmcACgkQZF0CR8NudjdtIQ/+Jijuzr0gwXlNn0gl3vp04VkLOv4q
wDUmmgUekVkL8xzssvAIoPEmSsi1niU399+wFgZcvvezR3qxKWFDY/3T6LD3XpEu
ENcN/ODQ85e2pOUyv/A41N69B2HjzyaziBWSa6lfn+I1liYo+ZadwRRkXwy74A0x
IE/an1WjQVA66fyWx86xeBfqL5TKCaictHzyRiRIR1l9vmNWrrQMhUIeEoYrUuro
y//JzvCmqDje0UYKMoPw95zjSz73TGHj0EzHodTXf/mimmRGZsGpNiEwfeEH0umS
e+Mo7v5lvhCz1z+TrIIG0eWBzifpNFsBgfq5rfJ1mJ4Mr7V8TYxveo0hF5aUp7r4
NSnX72k8XcPhgi3D4fFxIA8jxANlcGZDMHuYliEOeMM+JKJGUz8rEE1FUufUILO2
pTU5DnT4ZRVHGqYxxIoYcaNitpUgOwQO9BBxCSXdpwu215GaSLRbCFcG0X9lz4Sx
dM8x7mx8ettzCDFp/CkK3yKKZMegyJNxG5wycQjONH56H3/X7Whdm9UT1AhhKIyU
wmmH1P7tIudVeT7D+xv4l2ZJx6IM1eCoqXbePEO+6JWauaWbh1qO2cnjTxJ/EA3a
FqhjTlvMw75JFJDJ0/kp+8jAxc44ief1ZTk+040xprXdl3cs94uVvjiRy1PO2rc3
7V+LTIq8odx8V1E=
=z+RA
-----END PGP SIGNATURE-----