browser security

The newly disclosed CVE-2026-6317 is a high-severity use-after-free vulnerability in Chrome’s Cast component that Google says could let a remote attacker execute arbitrary code through a crafted HTML page. Google’s stable-channel fix landed on April 15, 2026, and the remedied versions are...

Google’s April 15, 2026 Chrome stable update quietly closed a High-severity memory-corruption flaw in PDFium, tracked as CVE-2026-6305, and the fix now matters well beyond browser hobbyists. The bug affects Chrome versions prior to 147.0.7727.101 and allows a remote attacker to execute arbitrary...

Google’s latest Chromium security cycle has put CVE-2026-6310 in the spotlight: a use-after-free in Dawn that was fixed in Chrome 147.0.7727.101 and described by Google as a potential sandbox escape for a remote attacker who had already compromised the renderer process. Microsoft is tracking the...

Microsoft has recorded CVE-2026-33118 as a Microsoft Edge (Chromium-based) spoofing vulnerability, and the key question for defenders is not simply whether the bug exists, but how much confidence Microsoft has in the underlying technical details. In Microsoft’s own vulnerability model, that...

Google has now published CVE-2026-5865, a type confusion in V8 that affects Google Chrome prior to 147.0.7727.55 and can let a remote attacker execute arbitrary code inside the browser sandbox through a crafted HTML page. Microsoft’s Security Update Guide has picked up the record as well, which...

Chromium’s newly disclosed CVE-2026-5918 is a reminder that browser security flaws do not need to be dramatic to matter. Google says the bug affects Chrome versions prior to 147.0.7727.55 and could let a remote attacker who had already compromised the renderer process leak cross-origin data...

A newly published Chromium flaw, CVE-2026-5859, is the kind of browser vulnerability that security teams should treat as an urgent patch item rather than an abstract identifier. Google says the issue is an integer overflow in WebML affecting Chrome versions prior to 147.0.7727.55, and that a...

Chromium’s CVE-2026-5862 is the kind of browser-security flaw that looks narrowly defined on paper but carries a broad operational footprint in practice. Google says the bug is an inappropriate implementation in V8, the JavaScript engine that powers Chrome and other Chromium-based browsers, and...

Google’s newly published CVE-2026-5868 is the kind of browser bug that looks narrow at first glance and then immediately broadens once you unpack the blast radius. The flaw is a heap buffer overflow in ANGLE affecting Google Chrome on Mac prior to 147.0.7727.55, and Google says a crafted HTML...

Google has disclosed a new high-severity Chrome vulnerability, tracked as CVE-2026-5873, that affects the V8 JavaScript engine and allows a remote attacker to achieve arbitrary code execution inside the browser sandbox through a crafted HTML page. The issue affects Google Chrome versions prior...

Microsoft’s latest Chromium security cycle has surfaced CVE-2026-5872, a use-after-free in Blink that affects Google Chrome prior to 147.0.7727.55 and can let a remote attacker execute code inside the browser sandbox through a crafted HTML page. Microsoft’s Security Update Guide now reflects the...

Google’s newly published CVE-2026-5892 is a reminder that browser security failures do not always look dramatic on paper to be dangerous in practice. The flaw, described as insufficient policy enforcement in PWAs, affects Google Chrome versions before 147.0.7727.55 and could let a remote...

Google’s CVE-2026-5895 is a browser UI spoofing flaw in Chrome on iOS that can let a remote attacker make the Omnibox appear to show something different from the real destination. The bug affects versions prior to 147.0.7727.55, and Google rates the Chromium-side issue as Low severity, which is...

CISA’s April 1 update is a reminder that the Known Exploited Vulnerabilities Catalog remains one of the most operationally important signals in federal cybersecurity. The agency says it has added CVE-2026-5281, described as a Google Dawn use-after-free vulnerability, based on evidence of active...

AI chatbots with built-in browsers are no longer a novelty feature tucked away in a product demo. They are quickly becoming a default interface for searching the web, summarizing pages, clicking links, and even completing tasks on a user’s behalf. That convenience comes with a quietly expanding...

CISA’s addition of two browser-related flaws to the Known Exploited Vulnerabilities (KEV) Catalog on March 13, 2026 — tracked as CVE‑2026‑3909 (an out‑of‑bounds write in Skia) and CVE‑2026‑3910 (an unspecified but actively exploited flaw in Chromium’s V8 engine) — is a blunt operational signal...

Google appears to be building a way to switch off the browser’s WebGPU engine on devices running Android 16 as part of the operating system’s new Advanced Protection Mode, a move that signals both the maturing importance of GPU-accelerated web APIs and the continued security headaches they can...

If you’ve been thinking “I’ll try these new AI helpers later,” you’re not alone — they don’t wait. Over the past year major platforms have started embedding generative‑AI features directly into search, browsers, email, productivity apps, and even system shells. That convenience comes with real...

A convincing fake Google Account security page is being used as the front end for a surprisingly sophisticated browser-based surveillance toolkit that can convert an installed Progressive Web App (PWA) into a persistent command-and-control (C2) channel, steal one-time passcodes and clipboard...

Mozilla’s support path for users running pre–Windows 10 desktops has reached a clear milestone: Firefox 115 ESR will be the last maintained Firefox build for Windows 7, Windows 8 and Windows 8.1, and Mozilla’s support documentation now states that security updates for those legacy installations...