chore: cherry-pick 20 changes from angle, chromium, webrtc

[VerteDinde]

Backports the following changes:

• 16dcbc3d1476 from chromium — win: Use static to keep track of in progress drags (503551154, CVE-2026-9110)
• 0733324d999f from webrtc — [M144-LTS][Pipewire] Fix mouse cursor data race (504551032, CVE-2026-9111)
• 06e6c6b59454 from angle — D3D11: Fix buffer state tracking in TransformFeedback11 (489791425, CVE-2026-9112)
• a4bd261b3496 from angle — [M144-LTS] Metal: Round up all buffer sizes to 16 bytes (489585044, CVE-2026-9113)
• 7d0b7c526075 from chromium — Add AMSC macro to QuicProxyDatagramClientSocket (495798630, CVE-2026-9114 — hardening mitigation; see note below)
• 1cd1e8607c8e from chromium — Block invalid responses for Static Router cache source (495999481, CVE-2026-9115)
• e2b91876eb01 from chromium — Enforce CORP for Static Router Cache Source (497436273, CVE-2026-9116)
• 2cdb07c74d06 from chromium — Enable ServiceWorkerStaticRouterCORPCheck and OpaqueCheck by default (495999481 / 497436273, CVE-2026-9115 / CVE-2026-9116)
• faada322153d from chromium — [media/gpu] Enforce safe range for NativePixmapPlane construction (497542537, CVE-2026-9117)
• 7adec41c4fdc from chromium — Remove GPU observer in XRRuntimeManager destructor (498702233, CVE-2026-9118)
• bb4a1365f2fa from webrtc — [M144-LTS] Check vector sizes when crossfading from CNG/expand to normal (502661101, CVE-2026-9119)
• 21d9744bd599 from webrtc — Always release VideoEncoders before destruction (504620824, CVE-2026-9120)
• 458a75ec3e37 from webrtc — Call Release in SimulcastEncoderAdapter destructor if inited (504620824, CVE-2026-9120)
• 86d64be7672e from angle — Translator: Fix codegen of switch with empty last case (488064108, CVE-2026-9121)
• 0323970550b9 from angle — Metal: Fix pitch computation for compressed textures in PBOs (489579953, CVE-2026-9122)
• b885cb0c8e97 from chromium — input: Validate SetMouseCapture requests in the browser process (496375695, CVE-2026-9124)
• d3ea06df9a4c from chromium — Use index-based for in Element::CloneAttributesFrom (496280532, CVE-2026-9126)
• 155b785d0e4f from chromium — Add stronger (D)CHECK()s around batch setting of attributes (496280532, CVE-2026-9126)
• 6aa38f2d02b7 from chromium — Add EventDispatchForbiddenScope for batch attribute notification (496280532, CVE-2026-9126)
• 926d3d259750 from chromium — Avoid setting attribute in SliderThumbElement constructor (496280532, CVE-2026-9126)

Covers the security fixes from the Chrome 148.0.7778.178 stable release that were missing from the 40-x-y tree (Chromium 144.0.7559.236) — none of the fixes from this release were present, including the M144-LTS merges Chrome made after the current pin.

For CVE-2026-9114 (QUIC use-after-free), the cherry-pick is the same hardening mitigation Chrome shipped on stable (ADVANCED_MEMORY_SAFETY_CHECKS() on the vulnerable class); the actual fix (7900197) landed on Chromium main on 2026-06-04 and has not shipped in any Chrome stable channel yet.

Intentionally not backported: 7765503 (CVE-2026-9123) touches only chromecast/media/, which Electron does not compile.

Notes: Security: backported fixes for CVE-2026-9110, CVE-2026-9111, CVE-2026-9112, CVE-2026-9113, CVE-2026-9114, CVE-2026-9115, CVE-2026-9116, CVE-2026-9117, CVE-2026-9118, CVE-2026-9119, CVE-2026-9120, CVE-2026-9121, CVE-2026-9122, CVE-2026-9124, CVE-2026-9126.

[release-clerk]

Release Notes Persisted

Security: backported fixes for CVE-2026-9110, CVE-2026-9111, CVE-2026-9112, CVE-2026-9113, CVE-2026-9114, CVE-2026-9115, CVE-2026-9116, CVE-2026-9117, CVE-2026-9118, CVE-2026-9119, CVE-2026-9120, CVE-2026-9121, CVE-2026-9122, CVE-2026-9124, CVE-2026-9126.