Google has released an important security update for its Chrome browser, fixing 31 vulnerabilities that could put users at serious risk. The update was rolled out on April 15, 2026, and includes several critical fixes that require immediate attention.
The latest version of Google Chrome is now 147.0.7727.101/102 for Windows and macOS, and 147.0.7727.101 for Linux. Users are strongly advised to update their browsers as soon as possible.
Out of the 31 vulnerabilities fixed in this update, five are marked as critical. These flaws are considered highly dangerous because they could allow attackers to execute arbitrary code on a user’s system. This means hackers could run malicious programs, access sensitive data, or even take full control of a device without needing admin access.
Most of the critical issues are linked to memory-related bugs such as heap buffer overflows and use-after-free vulnerabilities. These are common attack points that cybercriminals use to break browser security protections.
One of the major vulnerabilities, tracked as CVE-2026-6296, affects the ANGLE graphics engine and was reported by a security researcher. Another issue, CVE-2026-6297, was found in the Proxy component. Additional critical bugs impact the Skia graphics library, the Prerender feature, and the XR component.
Critical Vulnerabilities
| CVE ID | Type | Component | Impact |
|---|---|---|---|
| CVE-2026-6296 | Heap buffer overflow | ANGLE | Can allow arbitrary code execution and full system compromise |
| CVE-2026-6297 | Use-after-free | Proxy | May lead to remote code execution or browser takeover |
| CVE-2026-6298 | Heap buffer overflow | Skia | Can be exploited to run malicious code |
| CVE-2026-6299 | Use-after-free | Prerender | May allow attackers to execute code silently |
| CVE-2026-6358 | Use-after-free | XR | Can lead to code execution and system control |
Apart from these, the update also fixes several high-severity issues. These include type confusion bugs in the Turbofan engine and out-of-bounds read problems in the Media component.
High Severity Vulnerabilities
| CVE ID | Type | Component | Impact |
|---|---|---|---|
| CVE-2026-6359 | Use-after-free | Video | Possible code execution or crash |
| CVE-2026-6300 | Use-after-free | CSS | Memory corruption leading to exploits |
| CVE-2026-6301 | Type confusion | Turbofan | Can bypass security and execute code |
| CVE-2026-6302 | Use-after-free | Video | Risk of remote code execution |
| CVE-2026-6303 | Use-after-free | Codecs | May allow arbitrary code execution |
| CVE-2026-6304 | Use-after-free | Graphite | Memory corruption vulnerability |
| CVE-2026-6305 | Heap buffer overflow | PDFium | Can lead to code execution |
| CVE-2026-6306 | Heap buffer overflow | PDFium | Same risk of arbitrary code execution |
| CVE-2026-6307 | Type confusion | Turbofan | Security bypass and code execution |
| CVE-2026-6308 | Out-of-bounds read | Media | Data leakage or crash |
| CVE-2026-6309 | Use-after-free | Viz | Potential system compromise |
| CVE-2026-6360 | Use-after-free | FileSystem | Exploitable for code execution |
| CVE-2026-6310 | Use-after-free | Dawn | Memory corruption risk |
| CVE-2026-6311 | Uninitialized use | Accessibility | Data leak or instability |
| CVE-2026-6312 | Policy issue | Passwords | Weak enforcement may expose credentials |
| CVE-2026-6313 | Policy issue | CORS | Cross-origin data access risk |
| CVE-2026-6314 | Out-of-bounds write | GPU | Can lead to code execution |
| CVE-2026-6315 | Use-after-free | Permissions | Privilege escalation risk |
| CVE-2026-6316 | Use-after-free | Forms | Potential exploit via form handling |
| CVE-2026-6361 | Heap buffer overflow | PDFium | Arbitrary code execution risk |
| CVE-2026-6362 | Use-after-free | Codecs | Memory corruption and exploits |
| CVE-2026-6317 | Use-after-free | Cast | Remote exploitation risk |
Google has also rewarded independent security researchers with bug bounties for reporting these issues.
There are also some medium-severity vulnerabilities fixed in this update.
Medium Severity Vulnerabilities
| CVE ID | Type | Component | Impact |
|---|---|---|---|
| CVE-2026-6363 | Type confusion | V8 | Limited code execution risk |
| CVE-2026-6318 | Use-after-free | Codecs | Possible crash or minor exploit |
| CVE-2026-6319 | Use-after-free | Payments | Risk in payment handling flows |
| CVE-2026-6364 | Out-of-bounds read | Skia | Possible data leakage |
Security experts warn that such flaws can be used to bypass browser protections. Once exploited, attackers can install malware, deploy ransomware, or gain deeper access to a system. Both individual users and businesses are at risk if they delay the update.
To stay protected, users should update Chrome immediately. You can do this by opening Chrome settings, going to the “About” section, and allowing the browser to check for updates. Once the update is downloaded, restarting the browser will apply the fixes.
Google has also limited access to detailed bug information for now. This is done to prevent attackers from using the details to create exploits before most users update their browsers.
