Google has recently released a critical security update for its Chrome desktop browser, addressing 30 security vulnerabilities, including four severe flaws that could enable remote code execution (RCE) attacks. The Stable channel has been updated to version 147.0.7727.137/138 for Windows and Mac, and to 147.0.7727.137 for Linux. This update is being rolled out gradually over the coming days and weeks to ensure a stable deployment.
The majority of the severe flaws patched in this release are Use-After-Free memory vulnerabilities. A Use-After-Free bug occurs when an application attempts to access memory space that has already been freed or deallocated. This memory mismanagement can lead to unexpected browser crashes, severe data corruption, and, most dangerously, arbitrary code execution. If successfully exploited, these vulnerabilities allow remote attackers to run malicious commands on a victim’s machine simply by convincing the user to visit a specially crafted malicious webpage. This requires no additional user interaction and could allow hackers to bypass Chrome’s built-in sandbox protections, potentially compromising the underlying system.
Google is temporarily restricting access to specific bug details and exploit links until a vast majority of the user base has successfully applied the security patch. This industry-standard practice prevents threat actors from reverse-engineering fixes to launch attacks against unpatched, vulnerable systems.
Google awarded bug bounties to researchers, including $16,000 for a high-severity GPU flaw and $7,000 for a critical Canvas issue. Below is a summary of the most critical and highly rewarded vulnerabilities addressed in this Chrome release:
– CVE-2026-7363 is a critical use-after-free vulnerability in the Canvas component, reported by heapracer, with a $7,000 bounty.
– CVE-2026-7361 is a critical use-after-free vulnerability affecting iOS, reported by Google, with the bounty yet to be determined.
– CVE-2026-7344 is a critical use-after-free vulnerability in the Accessibility component, reported by Google, with a pending bounty.
– CVE-2026-7343 is a critical use-after-free vulnerability in the Views component, reported by Google, with a pending bounty.
– CVE-2026-7333 is a high-severity use-after-free vulnerability in the GPU component, reported by c6eed09fc8b174b0f3eebedcceb1e792, with a $16,000 bounty.
To protect against potential exploitation, individuals and network administrators are strongly advised to update their Google Chrome browsers immediately. Check for updates in Google Chrome via Help → About Google Chrome, then restart the browser to apply them. A quick browser restart is required to apply the latest protections fully. Administrators managing enterprise environments should prioritize the rapid deployment of Chrome version 147.0.7727.137/138 across their networks to prevent potential intrusions.
In addition to these critical updates, Google has introduced a new security feature in Chrome 146 for Windows called Device Bound Session Credentials (DBSC), aimed at preventing infostealer malware from misusing session cookies. DBSC strengthens session security by cryptographically binding login sessions to the physical device through hardware-backed modules like the Trusted Platform Module (TPM). This process generates a non-exportable key pair, ensuring that even if session cookies are stolen, attackers cannot use them without the device’s private key.
The release builds on an early version deployed in 2025, with data showing a notable drop in session thefts for DBSC-protected sessions. The feature allows websites to maintain compatibility with existing front-end logic while enabling secure cookies through new back-end endpoints. Google handles the cryptographic aspects and cookie rotation, keeping integration seamless for web applications. Although initially available only for Windows, a macOS version is expected soon.
Session cookies have become a coveted target for cybercriminals, especially as they bypass multi-factor authentication. Infostealers such as Lumma, Vidar, and StealC steal these cookies along with other sensitive data. DBSC aims to mitigate this risk by rendering stolen session cookies useless.
In February 2026, a high-severity zero-day vulnerability, CVE-2026-2441, was discovered in Google Chrome. The flaw is a use-after-free bug inside Chrome’s CSS engine. If a victim loads malicious content, attackers can potentially achieve arbitrary code execution. This means that no file download is required, no obvious warning is given, and just visiting a crafted webpage could be enough for exploitation.
In April 2026, Google released a critical security update for its Chrome browser, bringing the stable channel to version 147.0.7727.55/56. The update, rolled out starting April 9, 2026, addresses 60 security vulnerabilities, including two rated as critical. These two critical flaws, CVE-2026-5858 and CVE-2026-5859, affect Chrome’s WebML component and could allow an attacker to achieve remote code execution (RCE) by tricking a user into visiting a malicious website. The severity of these bugs is underscored by the high bug bounty payouts, totaling $86,000. The patch also includes fixes for 14 high-severity vulnerabilities.
In April 2026, CERT-FR issued advisory CERTFR-2026-AVI-0487 notifying of multiple vulnerabilities discovered in Google Chrome. Affected versions are those prior to 147.0.7727.116 for Linux and Windows, and prior to 147.0.7727.117 for Mac. The vulnerabilities, reported via Google’s security bulletin of 22 April 2026, may allow an attacker to cause unspecified security issues. Organizations and individual users running affected Chrome installations should update immediately to the patched version.
In April 2026, CVE-2026-6316, a use-after-free vulnerability in the Forms component of Google Chrome prior to version 147.0.772
Article X Post:
Hashtags:
Article Key Phrase:
Category: Security News
