Chrome
-
VoidStealer uses debugger trick to extract Chrome master key, researchers say
VoidStealer, a malware-as-a-service, uses a debugger-based method that leverages hardware breakpoints to extract Chrome’s v20_master_key from memory, researchers at Gen Digital reported.
-
Google patches two Chrome zero-days exploited in the wild
Google released Chrome updates to fix two high severity zero-days exploited in the wild. Both are scored 8.8. Users should update Chrome to the listed versions on Windows macOS and Linux to reduce risk.
-
Patched Chrome flaw allowed malicious extensions to hijack Gemini panel
A Unit 42 technical analysis found CVE-2026-0628 could let malicious Chrome extensions inject code into the Gemini panel and access camera, microphone, screenshots, and local files. Google patched the issue in early January 2026.
-
Chrome to adopt Merkle Tree Certificates in phased move toward quantum resistance
Google said Chrome will develop Merkle Tree Certificates to make HTTPS resilient to future quantum threats and plans a phased rollout through Q3 2027, beginning with a feasibility study with Cloudflare.
-
Google patches actively exploited Chrome zero-day CVE-2026-2441
Google released Chrome updates to fix CVE-2026-2441, a high severity use after free bug in CSS that is being exploited in the wild. Users should update Chrome to the patched versions to reduce risk.
-
Google patches Chrome flaw in ANGLE library that is being actively exploited
Google released Chrome security updates on Dec. 11 that fix three vulnerabilities, including a high-severity flaw in the ANGLE graphics library tracked as Chromium issue 466192044 and reported to be exploited in the wild; users should update to the latest 143.0.7499 builds.
-
Long-running ‘ShadyPanda’ campaign amassed more than 4.3 million browser extension installs, researchers say
Researchers say the ShadyPanda campaign turned hundreds of browser extensions into spyware and backdoors, accumulating more than 4.3 million installs across Chrome and Edge and exfiltrating browsing data to multiple domains.
-
Google issues Chrome security update for actively exploited V8 bug
Google released Chrome updates to fix two V8 type confusion vulnerabilities, including CVE-2025-13223 which is being actively exploited; users should update to the listed Chrome versions and other Chromium-based browser vendors should apply fixes when available.
-
Researcher discloses ‘Brash’ flaw that can crash Chromium-based browsers by spamming tab title
A researcher has published details of ‘Brash’, a vulnerability in Chromium’s Blink engine that can crash Chromium-based browsers by rapidly updating the document.title field, causing massive DOM mutations and UI thread saturation.
-
Google patches Chrome zero-day exploited in the wild; updates rolled out across Windows, macOS and Linux
Google released security updates for Chrome to fix four vulnerabilities, including a zero-day exploited in the wild (CVE-2025-10585) in the V8 engine, with patches available for Windows, macOS and Linux and guidance to update across Chromium-based browsers.
