Google chrome

Cybersecurity News Security Advisory

Chrome Gets Massive Security Fix: Google Resolves 151 Vulnerabilities, 22 Rated Critical

Google has released a major security update for Google Chrome Stable Channel, addressing 151 vulnerabilities, including 22 critical flaws impacting core graphics, networking, media, and user interface components across Windows, macOS, and Linux platforms.

Critical Vulnerabilities Addressed in Chrome Update

Google has patched three Critical-severity vulnerabilities in Google Chrome that could potentially allow attackers to execute arbitrary code or compromise affected systems.

  • CVE-2026-7896 – An integer overflow vulnerability in the Blink rendering engine. The flaw was reported by an external security researcher on March 18 and was significant enough to receive a $43,000 bug bounty reward from Google.
  • CVE-2026-7897 – A use-after-free vulnerability affecting the Chrome Mobile component, internally identified by Google on April 18.
  • CVE-2026-7898 – A use-after-free vulnerability in Chromoting (Chrome Remote Desktop), internally discovered by Google on April 20.

Successful exploitation of these vulnerabilities could lead to memory corruption, application crashes, or remote code execution under certain conditions. Users and organizations are strongly advised to update Chrome to the latest available Stable release immediately.

Fixed Software Versions

Versions Google Chrome 148.0.7778.215 for Android and Linux, 148.0.7778.215/216 for macOS, and 148.0.7778.216/217 for Windows contain the bug fixes, as Google writes in the release announcement. For Android and iOS, Google is also distributing browsers of the 149 version branch in smaller waves.

The update for the Chromium-based web browsers is usually initiated by the version dialog, which is hidden behind “Help” and then “About” or “Info” on the respective browser name in the browser menu (usually an icon with three stacked dots or lines). On Linux, the distribution’s software management is usually responsible for this. However, updates often arrive with a delay in Apple’s and Google’s app stores; acceleration cannot be forced.

Those who use Chrome-based web browsers like Microsoft Edge should also check here whether the manufacturer has already distributed the updates.

Chrome updates:

According to Chrome’s advisory, the detected bugs were uncovered using automated fuzzing and sanitizer tools such as AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, libFuzzer, and AFL, underscoring the scale of Google’s proactive security testing infrastructure.

Users across Windows, Mac, and Linux should immediately update to Chrome 148.0.7778.96/97 to remediate these vulnerabilities.

The next stable release, Chrome 149, is scheduled for June 2, 2026. Users can update via Settings → Help → About Google Chrome, which triggers an automatic download and install.

Sources: https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop_0877304591.html

Sources: https://www.heise.de/en/news/Chrome-update-closes-151-security-holes-22-of-them-critical-11310878.html

Security Advisory

Google Releases Exploit Code for Unpatched Chromium Flaws

Chrome Browser Vulnerabilities

Continue Reading
Blogs Cybersecurity News

Google Chrome Patching 3 High Security Flaws Highlights Browser Security

Google Chrome emergency security update tracked as CVE-2026-2441; Highlights Browser Security

Continue Reading
Security Advisory

Chrome Security Updates by Google Released For Actively Exploited Zero-Day 2026

Chrome update released to patch a zero-day vulnerability that has been exploited in the wild.

Continue Reading
Blogs Cybersecurity News

Malicious Extensions Copies Legitimate Apps; Chrome Under Spotlight

Chrome under spotlight

Continue Reading
Security Advisory

Chrome V8 Type Confusion Vulnerability Actively Exploited In The Wild 

Summary : Security advisory: Google has released an urgent security update to patch two high-severity Type Confusion vulnerabilities in the V8 JavaScript engine. The CVEs vulnerabilities are CVE-2025-13223, CVE-2025-13224 .

OEM Google 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-13223, CVE-2025-13224 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

One of these vulnerability (CVE-2025-13223) is already being actively exploited in the wild, allowing attackers to potentially execute arbitrary code through malicious web content. which attackers can bypass Chrome’s sandbox, steal sensitive data, or deploy malware. The fixes have been rolled out for Chrome Stable 142.0.7444.175/.176 across Windows, Mac, and Linux. 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​Type Confusion Vulnerability in V8 JavaScript Engine CVE-2025-13223 Google Chrome High v142.0.7444.175 / v142.0.7444.176 
Type Confusion Vulnerability in V8 JavaScript Engine CVE-2025-13224 Google Chrome High v142.0.7444.175 / v142.0.7444.176 

Technical Summary 

Both vulnerabilities occur from Type Confusion vulnerabilities in Chrome’s V8 engine, where incorrect data-type handling leads to memory corruption and possible code execution. The CVE-2025-13223 is already being exploited in the wild and may involve APT-driven activity.

Another vulnerability was found internally through Google’s Big Sleep fuzzing system as part of ongoing proactive defense.

These weaknesses can allow attackers to bypass browser security boundaries and execute malicious actions remotely. Urgent need for users and administrators to apply Chrome’s latest security updates immediately. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-13223 Google Chrome (V8 Engine) Type confusion due to improper type handling in V8 allowing memory corruption.  Remote Code Execution, Sandbox Escape 
CVE-2025-13224 Google Chrome (V8 Engine) Type confusion triggered during script execution, discovered via fuzzing Remote Code Execution, Browser Crash 

Remediation

  • Immediate Action: Users and organization administrators should update Chrome immediately to the following patched versions: 
  • Windows: 142.0.7444.175 / 142.0.7444.176 
  • MacOS: 142.0.7444.176 
  • Linux: 142.0.7444.175 

Here are some recommendations below 

  • Enforce Chrome auto-updates on all endpoints via enterprise policies. 
  • Monitor browser crash logs and unusual behaviors tied to JavaScript execution. 
  • Run updated vulnerability & patch management tools to ensure full endpoint compliance. 
  • Educate users to avoid suspicious links and unknown websites during active exploitation events 

Conclusion: 
With Chrome being the most widely used browser globally, prompt updates are essential for the new security vulnerabilities. Maintaining browsers at the latest versions remains the strongest defenses against modern web-based attacks in modern cyber world. 

References

Security Advisory

Chrome Latest Update Fixes Multiple High-Severity Security Flaws 

Summary : The recent Google Chrome update fixed several serious security issues that could let hackers take control of the browser or steal personal data. These vulnerabilities were mostly related to memory handling and scripting errors in important parts of Chrome like the JavaScript engine (V8) and browser interfaces.

OEM Google 
Severity High 
CVSS Score 8.8 
CVEs CVE-2025-12725, CVE-2025-12726, CVE-2025-12727, CVE-2025-12728, CVE-2025-12729 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

Problems like type confusion and memory misuse could allow attackers to run harmful code just by making users visit malicious websites. Some flaws also affected Chrome’s UI, media processing and extension systems exposing users to possible unauthorized access or data leaks. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Out-of-Bounds Write in WebGPU  CVE-2025-12725 Chrome   High 142.0.7444.134/135 
Inappropriate Implementation in Views (UI Rendering)  CVE-2025-12726 Chrome  High 142.0.7444.134/135 
Inappropriate Memory Handling in V8 JavaScript Engine CVE-2025-12727 Chrome  High 142.0.7444.134/135 
Inappropriate Implementation in Omnibox (Unified Search Bar) CVE-2025-12728 Chrome  Medium 142.0.7444.134/135 
Inappropriate Implementation in Omnibox (Unified Search Bar) CVE-2025-12729 Chrome  Medium 142.0.7444.134/135 

Technical Summary 

The bugs included memory corruption issues such as out-of-bound writings and use-after-free errors, which can lead to unpredictable behavior and remote code execution (RCE).

The JavaScript engine vulnerabilities involved mishandling data types or incorrect implementation, enabling attackers to break security boundaries.

Other issues involved UI security logic problems that could mislead users or weaken protections. Google patched all these weaknesses by tightening input validations, fixing memory lifecycle bugs, correcting UI behavior and strengthening internal security checks. 

CVE ID Component Affected  Vulnerability Details Impact 
 CVE-2025-12725 Google Chrome (WebGPU) Out-of-bounds write in WebGPU due to improper bounds checking, allowing attackers to overwrite memory beyond allocated limits.  Remote Code Execution / Browser Crash 
 CVE-2025-12726 Google Chrome (Views UI) Inappropriate implementation in the Views component causing memory corruption. UI rendering 
CVE-2025-12727 Google Chrome (V8 Engine) Improper handling in the V8 JavaScript engine enabling potential arbitrary code execution through crafted scripts. Remote Code Execution  
CVE-2025-12728 Google Chrome (Omnibox) Flaws in Omnibox’s implementation could allow UI spoofing or navigation bar manipulation. UI Spoofing  
CVE-2025-12729 Google Chrome (Omnibox) Similar flaws in Omnibox affecting input validation, leading to potential security bypasses or deceptive UI. UI Spoofing / Security Bypass 

Recommendations 

Update Chrome immediately to the following versions: 

  • For windows 142.0.7444.134/.135  
  • For MacOS 142.0.7444.135 
  • For Linux 142.0.7444.134 

You can update by Open Chrome Settings → Help → About Google Chrome, then allow Chrome to check for and install updates immediately. 

Along with update you can follow the recommendations below as well 

  • Enforce Chrome auto-updates across managed endpoints using enterprise policy controls. 
  • Actively monitor browser crash reports or any suspicious logs potentially linked to exploit attempts. 
  • Use vulnerability & patch management tools to ensure all endpoints are running the latest version of all applications.  

Conclusion: 
The Chrome security flaws can compromise devices just through browsing. Because millions use Chrome daily, these gaps were a high risk and google already patched those issues. Keeping any application to the latest version which is the best defense against cyber threats aiming at browsers. 

References

Blogs

Report says ChatGpt Atlas is Vulnerable for Users: Understanding Open-AI Agent Mode

Atlas’s autofill and form interaction capabilities present potential attack points

As per reports ChatGpt Atlas browser is vulnerable to attacks and is laced with inherent weakness in comparison to other browser like Google Chrome. As per ‘LayerX ‘who discovered the weakness in ChatGpt Atlas, described threat actors have the ability to inject malicious instructions into ChatGPT’s ‘memory’ and execute remote code and this works by way of cross-site request forgery requests.

These exploit can allow attackers to infect systems with malicious code, grant themselves access privileges or deploy malware. “Understanding “Agent Mode” is most important and core of Atlas which is not same for any traditional browsers. In traditional browser where users manually move from site to site, agent mode allows ChatGPT to semi-autonomously operate your browser.

For e.g. any user wanting to use ChatGPT for work related purposes, the malicious code planted earlier mostly tainted will be invoked automatically to execute remote code, allowing attackers to gain control of the user account .This may include their browser, code they are writing or systems they have access to.

Rate of Vulnerability is 90% A Warning for Users

The rate of vulnerability is 90% then other browsers as when an attacker wish they can push or inject  malicious instructions into ChatGPT’s Atlas ‘memory’ and later execute via remote code.

There is a more basic warning as well. “Atlas does not include meaningful anti-phishing protections, meaning that users of this browser are “up to 90% more vulnerable to phishing attacks than users of traditional browsers,” LayerX says.

Key pointers from research

ChatGPT’s Atlas is not resilient to Phishing attacks

Out of 103 in-the-wild attacks that LayerX tested 97 to go through, a whopping 94.2% failure rate

Compared to Edge (which stopped 53% of attacks in LayerX’s test) and Chrome (which stopped 47% of attacks),

ChatGPT Atlas was able to successfully stop only 5.8% of malicious web pages

Unlike traditional web browsers where you manually navigate the internet, agent mode allows ChatGPT to operate your browser semi-autonomously.

The technology works by giving ChatGPT access to your browsing context. It can see every open tab, interact with forms, click buttons and navigate between pages just as you would.

Importance of Security by Design for web browsing & How AI is intricately involved

The sandboxing approach which is security by design is to keep websites isolated from attacks and prevent malicious code from accessing data from other tabs is crucial to modern web architecture. This is the basis of modern web that depends on separation. But if its not implemented what can be the impact.

But in Atlas, the AI agent isn’t malicious code – it’s a trusted user with permission to see and act across all sites. In this browser isolation is not required. Here AI is not directly connected to the threat but what AI does is AI following a hostile command hidden in the environment. This opens doors to security and privacy risks many users are ill-equipped to handle.

Let me put an example : If you search for air tickets and visit a site , the Atlas ChatGpt will prompt and try to book a ticket or you search for movies in near by theater ,it attempts to book a ticket ”, it will explore options and try to book reservation. Atlas autofill’s and form interaction capabilities present potential attack points, especially when AI is making rapid decisions about information entry and submission.

This is possible when access is granted to ChatGPT for any browsing requirement or context that allows it to view and open tabs, interact with forms and navigate between pages like humans do.

Is User’s security getting compromised

The above example gives users warning that any AI powered browser may be convenient but not without security risks and those who are ChatGpt Atlas, should give extreme cautious before choices are made . Do not share browsing history with any AI mode, instead adopt incognito mode. Any malicious code can  influence the AI’s behavior if browsing and this can happen across multiple tabs.

In case of Atlas, the condition is more vulnerable as Atlas provides inputs like humans doing and AI in disguise executing harmful commands within the environment.

Will AI Agent or Open AI make browsing safe for users or what it means to have safe browsing.

(Source: https://www.bbc.com/news/articles/c20pdy1exxvo)

Security Advisory

Google Chrome Patched High-Severity Memory Vulnerabilities  

Summary : Security Advisory: Google recently rolled out an update for Chrome to address two high & and one medium severity vulnerabilities.

OEM Google 
Severity High 
CVSS Score 8.0 
CVEs CVE-2025-11458, CVE-2025-11460, CVE-2025-11211 
POC Available No 
Actively Exploited No 
Exploited in Wild No 
Advisory Version 1.0 

Overview 

A heap buffer overflow in the Sync component and a use-after-free (UAF) vulnerability in the Storage component have been fixed, along with other security issues.

Users and administrators are advised to apply the latest patch as soon as possible to ensure their systems remain secure. 

                Vulnerability Name CVE ID Product Affected Severity Fixed Version 
Heap Buffer Overflow in Sync  CVE-2025-11458 Chrome (Windows, Mac, Linux)  High 141.0.7390.65/66 
Use-After-Free in Storage  CVE-2025-11460 Chrome (Windows, Mac, Linux) High 141.0.7390.65/66 
Out-of-Bounds Read in WebCodecs CVE-2025-11211 Chrome (Windows, Mac, Linux) Medium 141.0.7390.65/66 

Technical Summary 

Google released an update for the Chrome Stable channel, addresses three significant security vulnerabilities related to memory safety. The update addresses multiple critical memory-related vulnerabilities within Chrome’s core components.

These include a flaw that could allow attackers to corrupt memory during browser data synchronization, potentially enabling arbitrary code execution, and another vulnerability in the storage system that involves improper memory handling after an object is freed, which could also lead to exploitation through crafted web content.

Additionally, a medium-severity issue was fixed in the media processing API that could cause exposure of sensitive memory or impact browser stability when handling certain media files. These fixes are part of ongoing efforts to improve browser security by mitigating risks of remote code execution, data exposure, and crashes. 

CVE ID Component Affected  Vulnerability Details Impact 
 CVE-2025-11458 Chrome Sync component Heap buffer overflow in the Sync component could allow memory corruption and potentially enable arbitrary code execution when handling synchronization data.  Remote Code Execution / Data Leakage 
 CVE-2025-11460 Chrome Storage component Use-after-free in the Storage component could allow attackers to access freed memory, potentially leading to code execution or information disclosure. Remote Code Execution / Browser Instability 
CVE-2025-11211 Chrome WebCodecs API Out-of-bounds read in the WebCodecs API could expose memory contents or crash the browser when processing malformed media inputs. Memory Disclosure / Browser Crash 

Recommendations 

Update Chrome immediately to the following versions: 

  • Windows/Mac: Chrome v141.0.7390.65/66 
  • Linux: Chrome v141.0.7390.65 

Here are bellow recommended actions 

  • Manual Update Check: Navigate to Settings → Help → About Google Chrome to force update. 
  • Enterprise Patch Management: Enforce Chrome auto-updates across managed systems. 
  • Threat Monitoring: Actively monitor browser crash reports, endpoint security alerts, and system/network logs for suspicious behavior. 

Conclusion: 
This update reflects Chrome’s continued commitment to robust browser security by addressing multiple critical memory vulnerabilities that could otherwise be exploited for remote code execution, data exposure, or browser instability.

Promptly applying updates is essential to reduce potential attack surfaces, maintain browser stability, and safeguard user data against emerging threats. 

References

Security Advisory

Chrome Security Update Fixed Active Zero-Day Exploit & Multiple High-Severity Vulnerabilities 

Security advisory : Google has issued a Stable Channel Update for Chrome to address 4 high-severity vulnerabilities, including one zero-day vulnerability (CVE-2025-10585) actively exploited in the wild.

OEM Google 
Severity High 
CVSS Score N/A 
CVEs CVE-2025-10585, CVE-2025-10500, CVE-2025-10501, CVE-2025-10502 
POC Available No 
Actively Exploited Yes 
Exploited in Wild Yes 
Advisory Version 1.0 

Overview 

This flaw, a Type Confusion in the V8 JavaScript and WebAssembly engine, can allow remote attackers to execute arbitrary code outside of Chrome’s security sandbox when users visit maliciously crafted web pages. Users and administrators are urged to update to the latest Chrome version immediately to mitigate potential exploitation 

Vulnerability Name CVE ID Product Affected Severity Fixed Version 
​ Type Confusion in V8 Engine  CVE-2025-10585 Chrome (Windows, Mac, Linux)  High  140.0.7339.185/.186 

Technical Summary 

The zero-day vulnerability in Chrome’s V8 engine arises from a type of confusion flaw, where object types are misinterpreted, leading to logical errors and memory corruption.

Attackers can exploit this issue when users visit maliciously crafted websites, enabling arbitrary code execution and possible sandbox escape.

This flaw has been confirmed as actively exploited in the wild. In addition to this zero-day, the update also fixes three other high-severity issues, a use-after-free in the Dawn graphics abstraction layer that could lead to memory corruption, a use-after-free in WebRTC that may enable remote code execution, and a heap buffer overflow in ANGLE that could result in program crashes or arbitrary code execution. 

CVE ID System Affected  Vulnerability Details Impact 
CVE-2025-10585 Google Chrome (Windows, Mac, Linux) Type confusion in the V8 JavaScript engine could allow memory corruption, arbitrary code execution, and potential sandbox escape Remote Code Execution / Sandbox Escape 

Other Vulnerabilities  

In addition to the zero-day, Google patched three other high-severity vulnerabilities in the same stable channel release. 

Vulnerability Name CVE ID Affected Component Severity 
​Use-after-free in Dawn CVE-2025-10500 Chrome GPU Renderer Component (Dawn)  High 
Use-after-free in WebRTC CVE-2025-10501 Chrome WebRTC Audio/Video Communication Module High 
Heap Buffer Overflow in ANGLE CVE-2025-10502 Chrome Graphics Translation Engine (ANGLE) High 

Recommendations

Update Chrome immediately to the following versions: 

  • Windows/Mac: Chrome 140.0.7339.185/.186 
  • Linux: Chrome 140.0.7339.185 

Here are some Recommendations below 

  • Manual Update Check: Navigate to “Settings → Help → About Google Chrome” to trigger the update. 
  • Patch Management: Ensure enterprise update policies enforce Chrome auto-updates. 
  • Threat Monitoring: Keep monitoring logs for any signs of exploitation 

Conclusion: 
There are high vulnerabilities in Google Chrome, including an actively exploited zero-day flaw in the V8 JavaScript engine that poses a significant risk of remote code execution and sandbox escape.

Given the severity and confirmed exploitation in the wild, it is imperative that all users and administrators promptly update to the latest Chrome versions to mitigate potential attacks. Immediate action is essential to safeguard systems, data, and user privacy in light of these emerging threats. 

References

  • https://cybersecuritynews.com/google-chrome-0-day-vulnerability-exploited/  

Scroll to top