Google patches 31 Chrome 147 flaws including critical RCE and sandbox escapes
Google released Chrome 147.0.7727.101/.102 for desktop and 147.0.7727.101 for Android to fix a broad set of browser vulnerabilities, with the desktop advisory covering 31 security issues and multiple Critical and High severity bugs. The patched set includes remote code execution and memory-corruption flaws such as CVE-2026-6299 in Prerender, CVE-2026-6297 in Proxy, CVE-2026-6300 in Blink CSS, CVE-2026-6307 and CVE-2026-6363 in V8, CVE-2026-6361 in PDFium, and several use-after-free bugs in Video, Forms, FileSystem, Cast, Permissions, and XR components. Google said Android inherits the same security fixes as the corresponding desktop release unless otherwise noted, and affected versions span Chrome builds prior to 147.0.7727.101 on Linux and Android and prior to 147.0.7727.101/.102 on Windows and macOS.
Several of the flaws could be used in exploit chains to cross Chrome security boundaries, including sandbox escape paths in GPU, Viz, Dawn WebGPU, Accessibility, Graphite, and Proxy components through CVE-2026-6314, CVE-2026-6309, CVE-2026-6310, CVE-2026-6311, CVE-2026-6304, and CVE-2026-6297. Public technical details for many Chromium issues remain restricted while patches propagate, and no confirmed in-the-wild exploitation was cited for these specific April fixes, though multiple reports note Chrome’s recent zero-day activity and the likelihood of rapid weaponization of memory-safety bugs. The Canadian Centre for Cyber Security urged organizations to review Google’s advisory and apply updates promptly, while downstream Chromium-based browsers may remain exposed until they ship their own patched releases.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
Canada's Cyber Centre issues advisory on Chrome 147 vulnerabilities
On 2026-04-15, the Canadian Centre for Cyber Security published advisory AV26-358 about Google's Chrome desktop security update. The notice identified affected versions prior to 147.0.7727.101/102 on Windows and Mac and prior to 147.0.7727.101 on Linux, and urged users and administrators to apply updates.
Google releases Chrome 147 security updates across desktop and Android
On 2026-04-15, Google released Chrome 147.0.7727.101/.102 for desktop platforms and 147.0.7727.101 for Android. The updates addressed a broad set of vulnerabilities, with multiple references stating the stable-channel release included 31 security fixes affecting components such as Proxy, Prerender, Video, FileSystem, Forms, Cast, Permissions, Viz, Dawn/WebGPU, GPU, XR, PDFium, V8, and Accessibility.
Google authors upstream fix for Chrome CSS flaw CVE-2026-6300
On 2026-04-07, Anders Hartvoll Ruud authored commit c34df82 to fix CVE-2026-6300 in Chrome's Blink CSS layout engine. The patch changed iteration logic, added validation helpers, and introduced a regression crashtest.
Google internally discovers Chrome Permissions flaw CVE-2026-6315
Google discovered and reported CVE-2026-6315 internally on 2026-04-03. The high-severity use-after-free in Chrome's Permissions component primarily affected Android exploitation scenarios.
Researcher asjidkalam reports Chrome FileSystem flaw CVE-2026-6360
CVE-2026-6360, a high-severity use-after-free in Chrome's FileSystem component, was reported by asjidkalam on 2026-03-31. Google later included the issue among 31 security fixes in its April 2026 stable update.
Google fixes Chrome Prerender flaw CVE-2026-6299 in upstream commit
Google fixed CVE-2026-6299 in commit 8c1ead5a699f53f1915f3187d2bcfac725c46815, authored by Hiroki Nakagawa on 2026-03-30. The bug was a critical use-after-free in Chrome's Prerender feature that could allow remote code execution via crafted HTML.
Project WhatForLunch reports Chrome V8 flaw CVE-2026-6307
CVE-2026-6307, a V8 Turbofan type confusion vulnerability, was reported by Project WhatForLunch on 2026-03-29. Google later shipped fixes for the issue in the April 15, 2026 Chrome 147 security release.
Researcher Syn4pse reports Chrome Video flaw CVE-2026-6302
Google's later April 2026 patch cycle included CVE-2026-6302, a high-severity use-after-free in Chrome's Video component. The vulnerability was explicitly described as having been reported by researcher Syn4pse on 2026-03-24.
Google ships another Chrome 140 desktop security update for V8 flaws
On 2025-09-23, Google announced Chrome 140.0.7339.207/.208 for Windows and Mac and 140.0.7339.207 for Linux. The release patched three High-severity V8 issues: CVE-2025-10890, CVE-2025-10891, and CVE-2025-10892.
Google patches four Chrome desktop flaws, including one exploited in the wild
On 2025-09-17, Google released Chrome 140.0.7339.185/.186 for Windows and Mac and 140.0.7339.185 for Linux. The update fixed four High-severity vulnerabilities in V8, Dawn, WebRTC, and ANGLE, and Google said an exploit existed in the wild for CVE-2025-10585.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
22 references tracked. Mallory keeps watching after this page renders.
Google Chrome security advisory (AV26-358) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceChrome Releases: Chrome for Android Update
chromereleases.googleblog.com
Open sourceQuick Look: CVE-2026-6315, Use After Free in Google Chrome Permissions on Android - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceBrief Summary: Google Chrome XR Use After Free Vulnerability CVE-2026-6358 - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceQuick Look: CVE-2026-6304 - Use After Free in Chrome's Skia Graphite Enables Sandbox Escape - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceGoogle Chrome Dawn WebGPU Use After Free: Brief Summary of CVE-2026-6310 and Its Sandbox Escape Potential - ZeroPath Blog | ZeroPath
zeropath.com
Open sourceChrome Releases: Stable Channel Update for Desktop
chromereleases.googleblog.com
Open sourceChrome Releases: Stable Channel Update for Desktop
chromereleases.googleblog.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Google Chrome fixes 151 flaws, including 22 critical remote code execution bugs
Google has released a major Chrome Stable update that patches **151 security vulnerabilities**, including **22 critical flaws** affecting desktop builds on Windows, macOS, and Linux, with related fixes also noted for Android and iOS. The patched desktop versions are `148.0.7778.216/217` for Windows, `148.0.7778.215/216` for macOS, and `148.0.7778.215` for Linux. Google and national cyber authorities urged users and administrators to update immediately, while the company temporarily withheld detailed technical information until most users receive the fixes. Google said none of the newly disclosed critical issues were known to be exploited in the wild at disclosure time. The most serious bugs include **CVE-2026-9872** in the GPU process, **CVE-2026-9873** in Network, **CVE-2026-9874** in Dawn, and **CVE-2026-9875** in WebGL, alongside numerous flaws in **ANGLE**, Bluetooth, Base, Proxy, media, and other browser components. The vulnerabilities span use-after-free, out-of-bounds read and write, integer overflow, race condition, and insufficient validation weaknesses that could enable **remote code execution**, sandbox escape, data corruption, or broader system compromise through malicious web content. Google said many issues were found internally through fuzzing, sanitizers, and control-flow integrity tooling, while external researchers also reported multiple bugs through the bounty program, with rewards reaching **$43,000**.
May 29, 2026
Google Chrome 149 fixes multiple high-severity memory corruption flaws
Google released a Stable Channel security update for Chrome Desktop, fixing a broad set of vulnerabilities in versions prior to **`149.0.7827.53/54`** on Windows and Mac and **`149.0.7827.53`** on Linux, while related records also show Chrome on Android was affected before **`149.0.7827.53`**. The Canadian Centre for Cyber Security urged users and administrators to apply the update, and public CVE entries tie the release to numerous flaws across **V8, Blink, WebRTC, Compositing, Dawn, DevTools, GPU, PDFium, Extensions, Media, TabStrip, Cast, LiveCaption, Google Lens, CSS, and USB**. Many of the issues are memory-safety bugs such as **use-after-free**, **out-of-bounds write/read**, **integer overflow**, and **type confusion**, with several carrying CVSS vectors indicating high impact to confidentiality, integrity, and availability. The patched vulnerabilities include remote code execution inside Chrome’s sandbox through crafted HTML pages or malicious PDF files, information disclosure from process memory, UI spoofing, navigation restriction bypass, privilege escalation on adjacent networks, and multiple paths that could aid sandbox escape after renderer compromise. Notable examples include **`CVE-2026-11188`** in Android USB that could potentially enable sandbox escape, **`CVE-2026-11256`** in the GPU component, **`CVE-2026-11173`** in V8, **`CVE-2026-11118`** and **`CVE-2026-11074`** in WebRTC, and several **PDFium** bugs including **`CVE-2026-11303`**, **`CVE-2026-11305`**, and **`CVE-2026-11307`**. Visible metadata from one additional report also points to **`CVE-2026-10881`**, linked to Chrome 149, the ANGLE layer, and memory corruption involving GPU buffer overflow and use-after-free.
Jun 12, 2026
Google Patches Seven Critical Chrome RCE Flaws in Stable Update
Google released a Chrome Stable channel update to fix **33 vulnerabilities**, including **seven Critical flaws** that could allow **remote code execution** if a user visits a malicious webpage. The update moves Chrome to **`149.0.7827.155/.156`** on Windows and macOS and **`149.0.7827.155`** on Linux, with Google rolling it out gradually. The most serious issues are largely **use-after-free** memory corruption bugs affecting components including **WebShare**, **Digital Credentials**, **File Input**, **Passwords**, and **Web Authentication**. Named issues include **`CVE-2026-12437`** in WebShare, **`CVE-2026-12439`** and **`CVE-2026-12440`** in Digital Credentials, **`CVE-2026-12442`** in Passwords, and **`CVE-2026-12443`** in Web Authentication. Google also patched High-severity flaws in **WebRTC, Extensions, Safe Browsing, GPU, File System Access, Media, Downloads,** and the **Tab Strip**, with risks ranging from data leakage and heap corruption to sandbox escape and exploit chaining. The company said technical details will remain limited until more users update and urged users and enterprises to install the patch and relaunch Chrome promptly.
Jun 22, 2026