Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: chrome (4 articles)Clear

Google patches actively exploited Chrome V8 zero-day, fifth this year

Google has shipped an emergency Chrome fix for a zero-day in V8, the browser's JavaScript and WebAssembly engine, that attackers are already exploiting in the wild. The flaw (CVE-2026-11645, rated 8.8) is an out-of-bounds memory read and write that lets a malicious web page run code inside Chrome's sandbox, and can help defeat protections like ASLR to set up a fuller compromise. Google confirmed an exploit exists but withheld details until most users update. It is the fifth actively exploited Chrome zero-day of 2026. The fix is in Chrome 149.0.7827.102/103 for desktop; Chromium-based browsers like Edge and Brave need the same update.

Check
Check Chrome and Chromium-based browser versions across managed endpoints (chrome://version or MDM inventory) and confirm they are at or above the June 8 patched build.
Affected
Google Chrome desktop before 149.0.7827.102/103 on Windows, macOS, and Linux (CVE-2026-11645, a V8 out-of-bounds read/write), plus Chromium-based browsers such as Edge and Brave.
Fix
Update Chrome to 149.0.7827.102 or later and relaunch to apply it. Push the update through enterprise policy and patch all Chromium-based browsers in your fleet.

Chrome patches record 429 flaws, including a sandbox-escape RCE

Google shipped Chrome 149 with fixes for 429 security bugs, the most ever in a single Chrome release. More than 100 are rated critical or high. The worst, an out-of-bounds read and write in the ANGLE graphics engine that Chrome uses to render web pages, lets a booby-trapped website break out of the browser's protective sandbox and run code on the victim's computer; Google paid a $97,000 bounty for it. None are confirmed under attack yet, but a sandbox escape is the kind of bug attackers race to weaponize, so patching before that happens matters.

Check
Check the Chrome version on every managed endpoint (chrome://version or your MDM inventory) and confirm Chromium-based browsers like Edge and Brave are also updated.
Affected
Google Chrome before version 149 on Windows, macOS, and Linux. Worst flaw CVE-2026-10881 (CVSS 9.6), an ANGLE out-of-bounds read and write enabling sandbox escape.
Fix
Update Chrome to version 149 or later and relaunch to apply it. Push the update through enterprise policy and patch Edge, Brave, and other Chromium browsers.

Google is paying $1.5 million for a Pixel hack and cutting Chrome rewards because AI is finding bugs faster than humans can submit reports

Google overhauled its Vulnerability Reward Program for Android and Chrome on May 1 in response to AI tools reshaping bug hunting. The maximum Pixel Titan M reward jumped to $1.5 million for a zero-click exploit with persistence. Chrome payouts dropped across categories. Google is rewarding 'actionable reports' with concrete exploits and suggested fixes rather than raw bug volume - a response to AI tools like Anthropic's Mythos and OpenAI's GPT-5.4-Cyber generating more vulnerability reports than security teams can triage. Google paid a record $17.1 million in 2025 (up 40% from 2024) and expects 2026 aggregate rewards to increase further despite per-bug cuts.

Check
If your organization runs a bug bounty program, decide this quarter whether you reward per-finding or per-impact - the AI-generated bug volume is making the per-finding model financially unsustainable.
Affected
Any organization running a vulnerability reward program is facing the same volume problem Google is responding to. Independent security researchers face per-bug payment cuts industry-wide as programs adjust. The Internet Bug Bounty pause is a signal that mid-tier programs without Google's scale will struggle most.
Fix
Restructure bounty programs to reward proof of exploitation (working PoC, demonstrated impact) rather than report volume. Add quality gates: detailed reproduction steps, proposed fixes, impact analysis. Use AI tools defensively to triage incoming reports. For independent researchers: focus on high-value targets where AI struggles (complex multi-step exploits, business logic flaws) rather than competing on volume.

Google patches fourth Chrome zero-day of 2026 - WebGPU flaw exploited in the wild (CVE-2026-5281)

Google pushed an emergency Chrome update to fix a use-after-free bug in Dawn, the engine behind Chrome's WebGPU graphics standard. CVE-2026-5281 is already being exploited - an attacker who has compromised the browser's renderer process can use a crafted HTML page to execute arbitrary code, potentially escaping Chrome's sandbox. This is the fourth actively exploited Chrome zero-day in 2026, and the third targeting graphics or rendering subsystems. CISA added it to the KEV catalog with an April 15 deadline.

Check
Update Chrome immediately on all managed endpoints. Also check Edge, Brave, Opera, and Vivaldi - they share the same Chromium codebase.
Affected
Google Chrome prior to 146.0.7680.177/178 (Windows/macOS) or 146.0.7680.177 (Linux). All Chromium-based browsers are affected.
Fix
Update Chrome to 146.0.7680.177/178. Verify auto-update is enabled and not blocked by group policy. Push updates via enterprise management tools. Apply Chromium-based browser patches from Microsoft, Brave, and others as they release.