Google Patches 31 Chrome Vulnerabilities Including Critical Sandbox Escapes

Google has released an emergency update for the Chrome web browser to address 31 security vulnerabilities. The patch includes five critical-severity flaws, 22 high-severity issues, and four medium-severity vulnerabilities. 

This update follows a significant patching cycle from the previous week where 60 flaws were closed.

Critical vulnerabilities:

• CVE-2026-6296 (CVSS score 9.6) - A heap buffer overflow in the ANGLE WebGL backend that occurs when processing maliciously crafted web content. Attackers can use this flaw to corrupt memory and break out of the browser's sandbox environment. This allows for arbitrary code execution on the host system with the user's privileges.
• CVE-2026-6297 (CVSS score 8.3) - A use-after-free vulnerability in the Proxy component triggered when the browser handles specific network configurations. An attacker in a privileged network position can use a crafted website to reference memory that has already been freed. This leads to a sandbox escape, allowing the attacker to run commands outside the browser's restricted process.
• CVE-2026-6298 (CVSS score 4.3) - A heap buffer overflow in the Skia graphics library that is triggered by processing manipulated HTML pages. The flaw causes the engine to write data beyond the allocated buffer, which can be used to leak sensitive information from the browser's process memory. While the CVSS score is lower, Google classifies this as critical due to its potential role in complex attack chains.
• CVE-2026-6299 (CVSS score 8.8) - A use-after-free vulnerability in the Prerender component that occurs during the background loading of websites. By tricking a user into visiting a prepared website, attackers can trigger a memory corruption state. This allows the injection and execution of malicious code within the context of the browser.
• CVE-2026-6358 (CVSS score 8.8) - A use-after-free vulnerability in the Extended Reality (XR) component affecting Android devices. Attackers can use manipulated HTML pages to cause the browser to access memory locations after they have been released. This results in unauthorized read access to sensitive memory areas, potentially exposing user data or system information.

High-severity vulnerabilities: 

The high-severity issues include multiple use-after-free vulnerabilities in Video (CVE-2026-6359 (CVSS score TBD), CVE-2026-6302 (CVSS score TBD)), CSS (CVE-2026-6300 (CVSS score TBD)), Codecs (CVE-2026-6303 (CVSS score TBD), CVE-2026-6362 (CVSS score TBD)), Graphite (CVE-2026-6304 (CVSS score TBD)), Viz (CVE-2026-6309 (CVSS score TBD)), FileSystem (CVE-2026-6360 (CVSS score TBD)), Dawn (CVE-2026-6310 (CVSS score TBD)), Permissions (CVE-2026-6315 (CVSS score TBD)), Forms (CVE-2026-6316 (CVSS score TBD)), and Cast (CVE-2026-6317 (CVSS score TBD)); type confusion flaws in Turbofan (CVE-2026-6301 (CVSS score TBD), CVE-2026-6307 (CVSS score TBD)); heap buffer overflows in PDFium (CVE-2026-6305 (CVSS score TBD), CVE-2026-6306 (CVSS score TBD), CVE-2026-6361 (CVSS score TBD)); an out-of-bounds read in Media (CVE-2026-6308 (CVSS score TBD)); an out-of-bounds write in GPU (CVE-2026-6314 (CVSS score TBD)); uninitialized use in Accessibility (CVE-2026-6311 (CVSS score TBD)); and insufficient policy enforcement in Passwords (CVE-2026-6312 (CVSS score TBD)) and CORS (CVE-2026-6313 (CVSS score TBD)).

The medium-severity issues consist of a type confusion in V8 (CVE-2026-6363 (CVSS score TBD)), use-after-free conditions in Codecs (CVE-2026-6318 (CVSS score TBD)) and Payments (CVE-2026-6319 (CVSS score TBD)), and an out-of-bounds read in Skia (CVE-2026-6364 (CVSS score TBD)).

Google has released patches in versions 147.0.7727.101 for Android and Linux, and 147.0.7727.101/102 for macOS and Windows. 

Google has not reported active exploitation in the wild. 

Users can check their current version by selecting 'About Google Chrome' from the help menu, which will trigger an automatic update if available. Since these vulnerabilities affect the Chromium engine, users of other browsers like Microsoft Edge should also apply pending security updates.