Chrome: Update patches three critical security vulnerabilities

On Thursday, Google released updated versions of the web browser Chrome. They close 26 security vulnerabilities. Three of them are considered critical risks – users should therefore ensure they are using the latest software versions.

In the night to Friday, Google filled the initially empty version announcement with the vulnerabilities fixed therein. Two of the most serious security vulnerabilities affect the WebGL component. In one case, attackers can break out of a sandbox in Android with manipulated HTML pages due to memory access outside of intended boundaries (CVE-2026-4439, no CVSS score, risk according to Google “critical”). The second vulnerability within it sounds similar, but here attackers are said to be able to perform read and write access outside of intended memory areas with carefully prepared web pages. However, the severity of the vulnerability indicates that this could allow the injection and execution of malicious code (CVE-2026-4440, no CVSS score, risk according to Google “critical”).

Then, a “use-after-free” vulnerability manifested itself in Chrome's Base component. This allows malicious actors to provoke memory corruption on the heap with prepared web pages. Such vulnerabilities often allow the execution of injected code (CVE-2026-4441, no CVSS score, Google risk rating “critical”). 22 further vulnerabilities have been rated as having a threat level of “high”, and only one as “medium” severity.

Google Chrome: Ensure current software version

The developers are at least not writing that attacks on the vulnerabilities have already been observed in the wild. Nevertheless, Chrome users should ensure that the current software version is active. Currently, these are Chrome for Android and Linux 146.0.7680.153, and 146.0.7680.153/154 for macOS and Windows.

This can be done locally by clicking on the icon with the three stacked dots to the right of the address bar and navigating through “Help” to “About Google Chrome”. This opens the version dialog, which displays the currently running software version and, if necessary, downloads and installs the update, and prompts for the final required browser restart. On Linux, this usually requires calling the distribution's software manager. The current version is not always immediately available in the app stores on mobile devices; delays of several days can often be observed here.

The vulnerabilities are also regularly found in the Chromium base and browsers based on it, such as Microsoft Edge or Brave. The providers are likely to offer updates for these shortly as well, which will close the vulnerabilities. Users should also check here whether updates are already available.

Currently, the Chrome developers at Google are extremely active in fixing security issues. Last Friday, there was an emergency update to fix actively exploited vulnerabilities in the Chrome browser. Contrary to the initial announcement, however, the bug fix for a second attacked security vulnerability was still missing, which was delivered in another Chrome emergency update on Friday night.

(dmk)