Critical vulnerabilities in Chrome and Firefox closed

Anyone using widely used web browsers like Google's Chrome or Mozilla's Firefox should promptly apply the available updates. They close security vulnerabilities classified as critical risks, which among other things allow attackers to smuggle code.

Web Browser Google Chrome

Google developers are apparently also using AI for vulnerability research, and the updated versions 147.0.7727.137 (Android, Linux) and 147.0.7727.137/138 (macOS, Windows) patch 30 security vulnerabilities at once – a significant increase in found and corrected security flaws has been observed here for several weeks. In the release announcement, they briefly indicate in which components of the browser which vulnerability type with which severity was found. Accordingly, attackers can, for example, use manipulated websites to exploit a use-after-free vulnerability in the canvas component of Chrome on Linux or ChromeOS to execute arbitrary code in a sandbox (CVE-2026-7363, no CVSS, risk according to Google “critical”). On iOS, Chrome also has a use-after-free vulnerability that corrupts memory on the heap when processing manipulated websites (CVE-2026-7361, no CVSS, risk according to Google “critical”).

On Windows, there is a use-after-free vulnerability in Chrome's accessibility routines that can allow an escape from the sandbox (CVE-2026-7344, no CVSS, risk “critical”). In the user interface framework Views, there is also a use-after-free security vulnerability that can allow an escape from the sandbox (CVE-2026-7343, no CVSS, risk “critical”). In use-after-free vulnerabilities, the program code uses resources that have already been released, resulting in undefined content – which can often be exploited, for example, to execute injected malware. Google classifies 23 further security vulnerabilities as high risk.

Firefox Web Browser

Meanwhile, the Mozilla Foundation has released versions Firefox 150.0.1, Firefox ESR 140.10.1, and Firefox ESR 115.35.1. They share common security vulnerabilities affecting memory safety, i.e., allowing access outside of intended memory areas. However, the developers do not go into detail (CVE-2026-7322, CVSS 7.3 (according to CISA), but risk according to Mozilla “critical”).

The developers do not state that there are any indications of exploitation on the internet for any of the vulnerabilities. Nevertheless, users should quickly ensure they are online with secured versions.

The current software version is displayed in all web browsers through the version dialogs, which can be opened by clicking on the settings menu and then selecting “Help” – “About <Browser Name>”. If an update is available, the dialog will report it and offer the installation. On Linux, the distribution's software manager is usually responsible for this. On mobile devices, however, app stores are responsible for update management. However, updates are often only available with a delay.

Browsers based on these projects, such as the Chromium-based Microsoft Edge, are likely to offer updates soon to fix the security flaws. Similarly, updates are expected shortly for the Thunderbird email program, as it is based on vulnerable Firefox code.

(dmk)