Google Patches 74 Chrome Vulnerabilities, Including Exploited Zero-Day Google has issued an emergency update to address 74 vulnerabilities in Chrome, including a high-severity zero-day flaw (CVE-2026-11645) actively exploited in the wild. This marks the fifth Chrome zero-day patched in 2026 before a fix was available. The security bulletin, released on June 8, includes fixes for 17 critical, 55 high-severity, and two medium-severity vulnerabilities. The patches will roll out gradually over the coming days and weeks for Chrome users on Windows, macOS, and Linux. CVE-2026-11645, an out-of-bounds read and write vulnerability in Chrome’s V8 JavaScript engine, affects versions prior to 149.0.7827.103. The flaw allows remote attackers to execute arbitrary code within a sandbox via a maliciously crafted HTML page, earning a high-severity rating of 8.8. Google awarded $55,000 to the researcher (identified as 303f06e3) who reported the issue on April 27. While Google confirmed active exploitation, it withheld further details to prevent additional attacks until most users receive the update. The company also noted that restrictions on bug details may remain if the vulnerability exists in third-party libraries still awaiting fixes.

Sophisticated Phishing Campaign Targets Chrome Extension Developers with Fake Copyright Notices A new phishing campaign is impersonating the Chrome Web Store to trick extension developers into surrendering their Google credentials. The attack, uncovered by Malwarebytes, sends fake copyright infringement notices that closely mimic official Google communications, complete with a 48-hour countdown to appeal creating urgency to bypass scrutiny. The scam leverages publicly available details about legitimate extensions, including their names, icons, and store listings, to craft highly personalized fake complaints. Victims are directed to a spoofed "Chrome Web Store Developer Policy Center" hosted on dmca-chrome-extensions[.]click, where a convincing but fraudulent Google sign-in window harvests credentials. The fake login page even adapts its appearance based on the victim’s operating system (Mac or Windows) and includes a padlock icon and accounts.google.com branding to appear authentic. If successful, attackers could hijack developer accounts to distribute malicious updates to thousands of unsuspecting users. The campaign stands out for its precision, using real extension data to exploit trust rather than generic phishing tactics. Developers are advised to verify notices directly through the Chrome Web Store dashboard, avoid clicking links in unsolicited emails, and enable two-factor authentication (preferably with hardware keys) to mitigate risks. Those who may have fallen victim should immediately reset their Google password, revoke active sessions, and audit their extensions for unauthorized changes. The phishing domain dmca-chrome-extensions[.]click has been identified as the primary indicator of compromise.

New VoidStealer Malware Exploits Chrome’s App-Bound Encryption to Steal User Data A recently identified malware strain, VoidStealer, is targeting Google Chrome users on Windows, employing a sophisticated method to circumvent one of the browser’s critical security defenses. The malware specifically exploits Chrome’s App-Bound Encryption, a feature introduced by Google to safeguard stored passwords and session cookies from unauthorized access. Unlike traditional malware that relies on elevated system privileges, VoidStealer operates without requiring admin-level access, making it a particularly stealthy threat. The malware’s ability to bypass Chrome’s encryption layer highlights a growing trend in cybercriminal tactics, where attackers increasingly focus on browser-stored credentials as a high-value target. The discovery underscores the evolving nature of information-stealing malware, which continues to refine techniques to evade detection and extract sensitive data. While the exact distribution methods remain unclear, the emergence of VoidStealer serves as a reminder of the persistent risks posed by credential theft in modern cyberattacks.

Fake TronLink Chrome Extension Steals Crypto Wallet Credentials in Large-Scale Phishing Attack A malicious Chrome extension masquerading as the popular TronLink crypto wallet has been discovered stealing sensitive credentials, including mnemonic phrases, private keys, and passwords from unsuspecting users. The extension, which appeared on the Chrome Web Store with over 1 million claimed installs and a 4.5-star rating, exploited the reputation of a legitimate listing to evade suspicion. Security firm SlowMist identified the threat after its MistEye monitoring system flagged the extension as a high-risk phishing sample. The attack leveraged a two-layer approach: the extension itself, which requested minimal permissions, and a remote phishing page that loaded inside the extension’s popup. This page was a near-perfect replica of the real TronLink wallet, tricking users into entering their credentials. Once entered, the stolen data was instantly transmitted to attacker-controlled accounts via Telegram, leaving victims unaware of the breach. The extension also employed evasion tactics, including Unicode spoofing to mimic the TronLink name, geographic redirection (blocking Russian users), and anti-analysis measures like disabling right-clicks and developer tools. The impact is severe any wallet accessed through the extension is considered fully compromised, with funds at immediate risk of theft. Users who installed the extension (ID: ekjidonhjmneoompmjbjofpjmhklpjdd) are advised to remove it and migrate funds to a new wallet. Security teams should block the malicious domain tronfind-api.tronfindexplorer[.]com and monitor for related traffic patterns. The attack highlights the risks of inherited extension reputations and the sophistication of modern phishing campaigns targeting cryptocurrency users.

Google and Mozilla Patch Critical Memory Safety Flaws in Chrome and Firefox Google and Mozilla released urgent security updates this week to address multiple memory safety vulnerabilities in Chrome and Firefox, including critical flaws that could enable arbitrary code execution. Chrome 147 Update Google’s latest Chrome update (version 147.0.7727.137/138 for Windows/macOS, 147.0.7727.137 for Linux) fixes 30 security issues, four of which are critical-severity use-after-free vulnerabilities: - CVE-2026-7363 (Canvas) - CVE-2026-7361 (iOS) - CVE-2026-7344 (Accessibility) - CVE-2026-7343 (Views) Use-after-free flaws occur when an application references deallocated memory, potentially leading to crashes, data leaks, or remote code execution. The remaining 26 patches primarily address high-severity memory safety bugs, including out-of-bounds reads, buffer overflows, and type confusion issues. Google awarded $30,000 in bug bounties, with the highest payout ($16,000) for a GPU-related use-after-free flaw. Firefox 150.0.1 Update Mozilla’s Firefox 150.0.1 resolves four vulnerabilities, including three critical/high-severity memory safety bugs (CVE-2026-7322, CVE-2026-7323, CVE-2026-7324) that could allow arbitrary code execution. A fourth flaw, CVE-2026-7320, is an information disclosure issue in the Audio/Video component. The fixes extend to Firefox ESR 140.10.1 and 115.35.1, which also patch a medium-severity sandbox escape. Both updates mitigate risks of exploitation, with Mozilla noting that some of the patched bugs showed signs of memory corruption. Users are advised to apply the updates immediately.

Critical Zero-Day Vulnerability in Google Chrome Exploited in the Wild A newly discovered zero-day vulnerability in Google Chrome, tracked as CVE-2026-5281, is under active exploitation, posing severe risks to users globally. The flaw, a Use-After-Free (UAF) bug in Google Dawn an open-source WebGPU implementation allows attackers to bypass security protections and execute arbitrary code on affected systems. The vulnerability was added to the Known Exploited Vulnerabilities (KEV) catalog on April 1, 2026, prompting urgent calls for updates. Exploitation requires tricking a victim into visiting a malicious HTML page, which triggers the UAF bug, enabling attackers to compromise the system, steal data, or deploy malware. For enterprises, a single compromised browser could serve as an entry point for lateral movement across networks. While the advisory focuses on Google Chrome, the flaw affects all Chromium-based browsers, including Microsoft Edge, Opera, Vivaldi, and Brave, due to its presence in the underlying engine. Security researchers have not yet confirmed whether the vulnerability is being used in ransomware campaigns, but its active exploitation elevates it to a high-priority threat. The Cybersecurity and Infrastructure Security Agency (CISA) has mandated Federal Civilian Executive Branch (FCEB) agencies to mitigate the risk by April 15, 2026, under Binding Operational Directive (BOD) 22-01. Organizations and users are advised to apply vendor-provided patches immediately, prioritize browser updates in patch management cycles, and discontinue use of unpatched versions if mitigations are unavailable.

Google Patches Two Actively Exploited Chrome Zero-Days in Emergency Update Google has released an out-of-band security update for Chrome to address two high-severity zero-day vulnerabilities CVE-2026-3909 and CVE-2026-3910 currently being exploited in the wild. The patches are available for Windows (146.0.7680.75), macOS (146.0.7680.76), and Linux (146.0.7680.75) as of Thursday. The first flaw, CVE-2026-3909, is an out-of-bounds write vulnerability in Skia, Chrome’s open-source 2D graphics engine. Such flaws can enable attackers to crash the browser or execute arbitrary code. The second, CVE-2026-3910, involves an inappropriate implementation in V8, Chrome’s JavaScript and WebAssembly engine. Google has withheld technical details for both vulnerabilities while the update rolls out. Chrome typically updates automatically, but users can force the patch by navigating to Settings > Help > About Google Chrome, triggering an immediate check and installation. A browser relaunch is required to complete the update. Google notes that the rollout may take days or weeks to reach all users. These are the second and third actively exploited Chrome zero-days patched in 2026, following CVE-2026-2441, a CSS-related flaw fixed in February. In 2025, Google addressed eight actively exploited Chrome zero-days. No details about the current attacks have been disclosed, and bug specifics will remain restricted until most users are protected.

Google Releases Emergency Chrome Update to Patch Three High-Severity Vulnerabilities Google has issued an urgent security update for its Chrome browser, addressing three high-severity vulnerabilities that could expose users to remote code execution, data leaks, and sandbox bypasses. The patch applies to Windows, Mac, and Linux systems, with updated versions now available: 145.0.7632.116/117 for Windows and Mac, and 144.0.7559.116 for Linux. The vulnerabilities, all rated high severity, include: - CVE-2026-3061: An out-of-bounds read flaw in Chrome’s Media component, reported by Luke Francis, which could lead to memory corruption or sensitive data exposure. - CVE-2026-3062: A combined out-of-bounds read/write vulnerability in Chrome’s Tint shader engine, discovered by cinzinga, enabling attackers to execute arbitrary code. - CVE-2026-3063: An improper implementation in DevTools, reported by M. Fauzan Wijaya (Gh05t666nero), allowing potential sandbox escapes and session token theft. Google has withheld technical details to prevent exploitation before most users apply the update, following responsible disclosure practices. The company credited independent researchers, highlighting the role of bug bounty programs in identifying critical flaws. The update rolls out gradually over days and weeks, with users advised to restart Chrome or manually check for updates via chrome://settings/help. Enterprises can deploy the patch across fleets using Google Update policies. Given Chrome’s dominant market share, the fixes mitigate risks for billions of users, blocking potential attack chains from phishing to remote code execution. The incident underscores the ongoing threat landscape targeting widely used browsers.

Millions of Chrome Users Affected by Data-Leaking Extensions in Large-Scale Investigation A recent security investigation has exposed 287 Chrome extensions secretly transmitting users’ browsing data to remote servers, impacting an estimated 37.4 million installs roughly 1% of Chrome’s global user base. Researchers developed an automated testing pipeline to detect this "spying" behavior at scale, analyzing network traffic rather than relying on extension permissions or descriptions. The team ran Chrome in a Docker container, routing traffic through a man-in-the-middle (MITM) proxy to monitor outbound data. By visiting controlled web addresses, they identified extensions that leaked URLs or other sensitive information. Their method measured traffic growth relative to URL length, using a leakage metric to flag extensions sending data to third parties. Extensions with a leakage ratio (R) ≥ 1.0 were classified as "definitely leaking," while those with 0.1 ≤ R < 1.0 underwent manual review. The scanning effort required 930 CPU-days, with each extension taking about 10 minutes to analyze. To prevent evasion, the researchers withheld full technical details of their detection methods. The findings, including a detailed report and interactive HTML version, were published on GitHub. The extensions sent data to a mix of well-known analytics firms, data brokers, and obscure actors, including Similarweb, Big Star Labs (linked to Similarweb), Curly Doggo, Offidocs, and Chinese-linked entities. Leaked URLs often contained personal identifiers, password reset links, document names, and internal admin paths, posing risks for privacy violations and targeted attacks. To track downstream use, the team deployed "honey URLs" decoy links designed to attract scrapers. Multiple IP ranges, including those tied to Kontera (AWS NAT endpoints), HashDit, and Blocksi AI Web Filter, repeatedly accessed these links, suggesting the data was re-queried or resold. The investigation highlights the scale and sophistication of browser extension-based data collection, with implications for both individual users and organizations.

Chrome Patches High-Severity Vulnerability in Background Fetch API Google has released Chrome versions 144.0.7559.109 and 144.0.7559.110 to the stable channel, addressing a critical security flaw (CVE-2026-1504) in the Background Fetch API. The update is rolling out gradually across Windows, Mac, and Linux over the coming days and weeks. The vulnerability, rated High severity (CVSS 7.5), stems from an inappropriate implementation in the Background Fetch API a web standard that enables background file downloads even after users close browser tabs. If exploited, the flaw could allow threat actors to manipulate background fetch operations, though specific exploitation details remain restricted until most users receive the patch. Security researcher Luan Herrera (@lbherrera_) discovered and reported the issue on January 9, 2026, earning a $3,000 bug bounty under Google’s Vulnerability Reward Program. The fix is part of Chrome’s ongoing security efforts, supported by advanced detection tools like AddressSanitizer, MemorySanitizer, and Control Flow Integrity to prevent such vulnerabilities from reaching stable releases. Users can manually update Chrome via Settings > About Chrome, with Windows and Mac users targeting versions 144.0.7559.109/.110 and Linux users receiving 144.0.7559.109. Enterprises managing large Chrome deployments are advised to monitor the rollout and validate application compatibility. Google continues collaborating with security researchers to strengthen Chrome’s defenses, with additional details available in the official Chrome commit log.

Google Patches Critical V8 JavaScript Engine Flaw in Chrome Update Google has released Chrome versions 144.0.7559.96 and 144.0.7559.97 for Windows, macOS, and Linux to address a high-severity race condition vulnerability (CVE-2026-1220) in the V8 JavaScript engine. The update began rolling out on January 20, 2026, following the flaw’s discovery by security researcher @p1nky4745 on January 7, 2026. The vulnerability stems from a race condition in V8, where improper synchronization of shared resources could allow attackers to manipulate memory and execute arbitrary code. Exploitation requires tricking users into visiting a malicious website, potentially leading to credential theft, malware installation, or unauthorized access to sensitive data. Google’s phased deployment ensures stability, with Windows and macOS users receiving 144.0.7559.96/.97 and Linux users getting 144.0.7559.96. The flaw was detected using Google’s security testing tools, including AddressSanitizer, MemorySanitizer, and UndefinedBehaviorSanitizer, which identify memory safety issues. Technical details remain restricted until most users update to prevent exploitation. Organizations are advised to prioritize the patch, while users can manually check for updates via Chrome’s settings. Bug reports can be submitted through official channels.

Google Chrome encountered a critical zero-day vulnerability identified as CVE-2025-2783, being exploited through a campaign named Operation ForumTroll. Targeting various institutions, the flaw allowed attackers to escape Chrome’s sandbox, potentially enabling them to execute arbitrary code on victims' systems, with minimal interaction. Despite a prompt patch release in Chrome version 134.0.6998.177/.178, the situation posed espionage risks, likely attributed to an APT group's involvement. Organizations were urged to upgrade their browsers and enhance security protocols to prevent exploitation.

Cybersecurity and Infrastructure Security Agency (CISA) added the Google Chrome zero-day to its catalog of exploited vulnerabilities. The bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed. An attacker could exploit the vulnerability and compromise a victim when they simply visit a website that hosts malicious HTML code.