Chrome browser: Update patches ten partly critical security vulnerabilities

Unnoticed by many, Google released an update for the Chrome web browser on Wednesday night. Initially, the version announcement was empty. However, on Thursday night, the developers added more – it is an important security update.

In the release announcement, Google writes that the update seals ten security vulnerabilities. Three of them even reach the severity level “critical.” This is also reflected in the rewards paid to the reporters: one time $33,000, another time $32,000; in the third case, the company is still figuring out the amount.

The most severe vulnerabilities affect, for example, the WebGL backend ANGLE. Attackers from the network can misuse an integer overflow in it with manipulated websites and thereby access memory areas outside the intended boundaries (CVE-2026-3536, no CVSS score yet, risk “critical”). In Chrome's PowerVR on Android, there are unexplained problems with the lifecycle of objects, leading to an exploitable heap memory error (CVE-2026-3537, no CVSS score yet, risk “critical”). Furthermore, the component Skia, used for almost all graphics operations, contains an integer overflow with the known consequences (CVE-2026-3538, no CVSS score, risk “critical”).

Google Chrome: Code Injection Vulnerabilities

Such vulnerabilities often allow the execution of injected malicious code, which is also reflected in the risk assessment. To attack the vulnerabilities, a carefully prepared website must be displayed with the web browser, for example. At least Google does not mention that the vulnerabilities are already being exploited in the wild – this prompted the company to release an emergency update out of cycle around mid-February.

Seven further security vulnerabilities have comparable consequences but are apparently more difficult to exploit. Therefore, the Chromium developers have only assigned them the risk assessment “high.” Nevertheless, users of Chrome and other Chromium-based web browsers should ensure that they are using the latest, bug-fixed versions of the web browsers. These are Chrome 145.0.7632.159 for Android and Linux, version 146.0.7680.38 for iOS, and Chrome 145.0.7632.159/160 for macOS and Windows. The Extended Stable version is currently up-to-date at version 144.0.7559.236 for macOS and Windows.

Updates can be found and applied, for example, by clicking on the icon with the three stacked dots to the right of the address bar and navigating through “Help” – “About Google Chrome.” On Linux, this usually requires calling the software manager of the distribution used for update distribution. On Android and iOS, updates come through the respective app stores – if it's not yet available there, you just have to wait. It cannot be forced there. Updates for other Chromium-based web browsers like Microsoft Edge are expected to appear shortly and should be installed by users promptly.

(dmk)