Google Warns 3.5 Billion Chrome Users Of High-Risk Update

Google has released a high-risk security update for 3.5 billion Chrome users, fixing eight high-severity vulnerabilities. The “High” rating indicates attackers could execute malicious code or bypass security layers by tricking users into visiting infected websites, even if no active exploits have been detected yet. The update follows public disclosure of ShadowPrompt, a separate zero-click vulnerability in Anthropic’s Claude Chrome extension that could have allowed websites to silently inject prompts without user consent.

Nearly all 3.5 billion users of Chrome, the most popular online browser worldwide, will get a security update from Google that fixes at least eight high-risk vulnerabilities. Fortunately, none of these are zero-day vulnerabilities, which means that there is no proof that threat actors have exploited any of them. The good news is that Chrome automatically installs these updates. However, Google cautions that it may take days or weeks to finish the security rollout, so users are recommended to start the process and get protected as soon as feasible. What you should know and do is as follows.

Chrome is being updated to 146.0.7680.164/165 for Windows/Mac and 146.0.7680.164 for Linux, according to Google’s Srinivas Sista. Krishna Govind issued a similar announcement for Android users, updating the app to 146.0.76380.164.

The details of the eight vulnerabilities will be “kept restricted until a majority of users are updated with a fix,” according to the Google security update confirmation, but I can assure you that they affect everything from WebAudio, WebGL, WebGPU, and CSS to the Chrome Fonts component.

The following are the eight security flaws, each of which has a high Common Vulnerability Scoring System severity rating:

• CVE-2026-4673: Heap buffer overflow in WebAudio
• CVE-2026-4674: Out-of-bounds read in CSS
• CVE-2026-4675: Heap buffer overflow in WebGL
• CVE-2026-4676: Use after free in Dawn (part of the WebGPU implementation)
• CVE-2026-4677: Out-of-bounds read in WebAudio
• CVE-2026-4678: Use-after-free in WebGPU
• CVE-2026-4679: Integer overflow in Fonts
• CVE-2026-4680: Use after free in FedCM (a privacy-centric identity authentication component)

A reason why Google Chrome needs to be updated and how to do It now appears that the security flaws fixed in this most recent Google Chrome update are nearly as serious as CVE-2025-20435, which put up to 875 million Android smartphone users at risk of being hacked while the device was locked and in less than 60 seconds, but that doesn’t mean users can relax. Every security defect on the Common Vulnerabilities and Exposures list needs to be taken carefully, especially those with a high severity level. Therefore, even though Chrome will automatically update, possibly even by the time you read this, there is no assurance that every user will have received the patch. 

Fortunately, there is a way to eliminate any uncertainty and get the process started. It’s really simple and only takes a few seconds to complete; simply select the Help|About Google Chrome option from the three-dot menu located at the upper right of the Chrome window. And that’s about it.

It is also advisable not to wait for auto-updates. Manually update: three dots > Help > About Google Chrome. Click Relaunch, security fixes apply only after restart.

This will determine whether an update is available for your version. It will be downloaded and installed if that is the case. However, Google has made it quite clear that users must restart the browser in order for the security update to take effect.

A newly disclosed vulnerability called ShadowPrompt highlights the importance of prompt patching and responsible disclosure. Oren Yomtov, principal security researcher at Koi, published a technical analysis of the flaw, which affected Anthropic’s Claude Chrome extension. Fixed after a private disclosure on December 27, 2025, the vulnerability allowed attackers to inject malicious AI prompts with zero clicks, simply by visiting a compromised website. “No clicks, no permission prompts. Just visit a page, and an attacker completely controls your browser,” Yomtov confirmed.

The attack exploited an “overly permissive origin allowlist” in the Chrome extension and a cross-site scripting (XSS) vulnerability in an Arkose Labs CAPTCHA component. Both have since been patched, and the Claude extension has been updated. Users should verify they’re running version 1.0.41 or higher by checking at chrome://extensions. Earlier versions might still be vulnerable, Yomtov warned.

The update addresses eight security flaws across core components, including WebAudio, WebGL, WebGPU, CSS, and fonts. Notable patches include CVE-2026-4673 (WebAudio heap buffer overflow) and CVE-2026-4680 (Use-after-free in FedCM). The release affects Chrome on Windows, macOS, Linux, and Android. Target versions: 146.0.7680.164/165 (Windows/Mac), 146.0.7680.164 (Linux), and 146.0.76380.164 (Android).