Chrome patch races to shut critical holes

Google has issued an emergency-style security update for Chrome after disclosing 31 vulnerabilities in the desktop browser, including five rated critical, in a release that underlines how quickly memory-safety flaws in widely used software can become a serious risk for consumers, businesses and public institutions. The stable desktop channel moved on April 15 to version 147.0.7727.101/102 for Windows and Mac, and 147.0.7727.101 for Linux, with the rollout set to continue over the coming days and weeks.

Several of the most severe bugs involve heap buffer overflows and use-after-free conditions in core browser components including ANGLE, Proxy, Skia, Prerender and XR. Those classes of flaws are closely watched by defenders because, under the right conditions, they can be used to corrupt memory, crash applications and potentially achieve arbitrary code execution. In plain terms, that means a maliciously crafted website or web content could try to force the browser into running unintended instructions on a user’s machine. Google’s disclosure does not say the critical flaws were being actively exploited before the patch was published, and public bug details remain restricted while the update propagates.

The five critical issues listed by Google are CVE-2026-6296, a heap buffer overflow in ANGLE; CVE-2026-6297, a use-after-free in Proxy; CVE-2026-6298, a heap buffer overflow in Skia; CVE-2026-6299, a use-after-free in Prerender; and CVE-2026-6358, a use-after-free in XR. The disclosure shows the bugs were reported between March 5 and March 30, suggesting an intense patching cycle over roughly six weeks before the fixes reached the stable channel. One of the rewards listed by Google for the critical findings reached $90,000, a sign of both the seriousness and the complexity of the bugs involved.

Beyond the critical defects, the update also addresses a wide spread of high-severity weaknesses across Video, CSS, Turbofan, Codecs, PDFium, FileSystem, Passwords, CORS, GPU, Permissions, Forms and Cast. That breadth matters because modern browsers are no longer simple page viewers; they are effectively operating environments that handle documents, media, payments, cloud applications, developer tools and identity workflows. A flaw in any one of those layers can become significant when chained with another weakness or used against a high-value target.

Chrome’s scale raises the stakes. The browser remains one of the world’s most widely used gateways to banking, email, enterprise software and government services, which is why security researchers and criminal groups alike scrutinise it constantly. Google notes that many Chrome bugs are detected with hardened testing and fuzzing tools such as AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer and AFL, reflecting the defensive depth now needed to secure mainstream browsers. Even so, the latest patch shows that critical memory-handling bugs still make their way into production software.

Google has long relied on sandboxing and site isolation to reduce the damage that can follow a browser compromise. Site Isolation is designed to keep websites in separate processes and make it harder for a malicious site to reach data from another service, even if a renderer bug is exploited. That architecture can blunt the impact of some attacks, but it does not remove the need to patch quickly when critical vulnerabilities appear in graphics, rendering or process-management components.

For users, the advice is straightforward: update the browser immediately and relaunch it so the fix is applied. Google’s support guidance says desktop users can check by opening Chrome, selecting the menu, then Help, then About Google Chrome, and relaunching when prompted. Android users can update through Google Play, while Chrome on iPhone and iPad updates through Apple’s App Store mechanisms. Enterprise administrators, meanwhile, may need to verify policy settings and rollout timing, especially in managed fleets where browser updates can lag behind consumer devices.

Timing is especially important because Google says some bug details will remain restricted until a majority of users have installed the fix, a standard practice intended to stop attackers from reverse-engineering patches before systems are updated. That leaves organisations in a familiar position: they know the risk is serious, but the full technical playbook is intentionally withheld for a short window. In that gap, patch discipline becomes the first line of defence.