Update now! Chrome security vulnerability is being attacked
Google has released an update for Chrome. It patches 21 security vulnerabilities. Attacks are targeting a code smuggling vulnerability.
(Image: heise medien)
21 security vulnerabilities have been found in the Chrome web browser. Google released updates on Wednesday night to fix them. One of the vulnerabilities allows for the injection of malicious code and is already being exploited on the internet.
This time, Google has promptly provided information about the security vulnerabilities closed in the version announcement. According to the announcement, 19 vulnerabilities are considered high-risk, and two others are of medium threat level. For one of the high-risk vulnerabilities, the developers state that they are aware of an exploit in the wild -- attackers are using it to compromise users.
This is a use-after-free vulnerability where program code accesses resources after they have already been freed, potentially containing undefined content. With some skill, this can often be misused to inject and execute malicious code. Attackers are already doing this with manipulated websites. The bug is found in the WebGPU implementation Dawn of Chrome (CVE-2026-5281, no CVSS score, risk according to Google “high”).
Google Chrome: Updated Versions
Chrome versions 146.0.7680.177 for Android and Linux and 146.0.7680.177/178 for macOS and Windows fix the security vulnerabilities. These can be installed locally, for example, by calling the version dialog via the click path “Settings” (hidden behind the icon with three stacked dots to the right of the address bar) and then “Help” – “About Google Chrome”, where the available update should be displayed and its installation offered. On Linux, the software management of the distribution used is usually responsible for this. Android users should be offered the update in the Google Play Store; however, Google does not provide the latest versions for all smartphones at the same time, and availability may only occur after hours or days.
Videos by heise
Web browsers based on the Chromium project, such as Microsoft Edge, are highly likely to be affected by the security vulnerabilities as well; the exploited vulnerability is probably present in them too. Users of these browsers should also check if updates are available.
Most recently, about a week and a half ago, Google distributed an extensive update that closed 26 security vulnerabilities. About a week before that, developers also had to issue emergency updates to close two already exploited security vulnerabilities. There was some confusion – the first fix did not close one of the two vulnerabilities as announced, whereupon Google released another out-of-band update the following day to patch a second already exploited security flaw.
(dmk)
