Chrome update patches 31 security vulnerabilities, five of them critical

Anyone using Chrome and Chromium-based web browsers should ensure they are using the latest software version. Google has released updates with which developers are closing 31 security vulnerabilities. Five of these are considered critical, allowing attackers to inject malicious code.

In the version announcement, Google's developers list the vulnerabilities. Manipulated websites can trigger a heap-based buffer overflow in the ANGLE WebGL backend, thereby breaking out of the sandbox (CVE-2026-6296, CVSS 9.6, risk “critical”). The bug report was worth $90,000 to Google, making it one of the highest payouts for a Chrome security vulnerability to date.

The proxy component also allows attackers to break out of the sandbox in a “privileged network position” with carefully crafted websites due to a “use-after-free” vulnerability (CVE-2026-6297, CVSS 8.3, risk “high”, but “critical” according to Google). In the Skia graphics library, manipulated HTML pages can cause a heap-based buffer overflow that leaks sensitive information from process memory (CVE-2026-6298, CVSS 4.3, risk “medium”, “critical” according to Google).

Numerous vulnerabilities in Chrome

A “use-after-free” vulnerability when prerendering websites in Chrome also allows the injection of malicious code with prepared websites (CVE-2026-6299, CVSS 8.8, risk “high”, “critical” according to Google). In Chrome's “Extended Reality” (XR) component on Android, attackers can also trigger read accesses outside of intended memory areas with manipulated HTML pages due to a “use-after-free” vulnerability (CVE-2026-6358, CVSS 8.8, risk “high”, “critical” according to Google).

Developers classify another 22 security vulnerabilities as high risk, and four as medium threat level. Google claims to have fixed the vulnerabilities in versions Chrome 147.0.7727.101 for Android and Linux, and 147.0.7727.101/102 for macOS and Windows. At least Google doesn't mention that the vulnerabilities are already being exploited on the internet.

Install Updated Software

Whether the browser is already up to date can be checked in the version dialog. This can be found by clicking on the browser menu, which is hidden behind the icon with three stacked dots to the right of the address bar, and then navigating to “Help” and then “About Google Chrome”. If an update is available, the dialog downloads it and offers installation. On Linux, this is usually handled by the distribution's software management. However, on Android smartphones, delivery is often delayed.

Since other browsers like Microsoft Edge are based on Chromium code, the vulnerabilities are likely to be found in them as well. Here too, users should therefore check if updates are available and apply them.

Currently, the number of discovered and closed security vulnerabilities in Chrome is increasing. Just last week, the developers even closed 60 security holes in Chrome.

(dmk)