Updated March 27: Following the confirmation of a high risk security update for nearly all of Chrome's 3.5 billion web browser users this article has been updated with news concerning the public disclosure of a vulnerability impacting Anthropic's Claude Google Chrome extension named as ShadowPrompt that could have enabled a website to silently inject prompts without being prompted for permission and requiring no clicks from the user.

Google has confirmed that nearly all 3.5 billion users of the world's most used web browser, Chrome, are to receive a security update addressing no less than eight high-risk vulnerabilities.Thankfully, none of these are of the zeroday variety as recently reported meaning there is no evidence of any of them being exploited by threat actors. There's more good news as well Chrome applies these updates automatically. Google does however warn that the security rollout could take days or weeks to complete so users are best advised to kickstart the process and get protected as soon as possible. Here's what you need to know and do.

What We Know About The New Google Chrome Security Vulnerabilities

Google's Srinivas Sista has confirmed that Chrome is being updated to 146.0.7680.164/165 for Windows/Mac and 146.0.7680.164 for Linux while Krishna Govind made a similar announcement for Android users, taking the app to version 146.0.76380.164.

Although, as the Google security update confirmation stated, access to the details regarding the eight vulnerabilities will be "kept restricted until a majority of users are updated with a fix," I can tell you that they impact everything from WebAudio, WebGL, WebGPU and CSS, even the Chrome Fonts component has been affected.

The eight security vulnerabilities themselves, all with a high Common Vulnerability Scoring System severity rating, are as follows:

InnovationCybersecurity

Google Confirms High-Risk Update For 3.5 Billion Chrome Users

ByDavey Winder,

Senior Contributor.

Davey Winder is a veteran cybersecurity writer, hacker and analyst.

Follow Author

Mar 27, 2026, 11:17am EDT

0

Google rolls out high-risk security update for Chrome users.

SOPA Images/LightRocket via Getty Images

Updated March 27: Following the confirmation of a high-risk security update for nearly all of Chrome's 3.5 billion web browser users, this article has been updated with news concerning the public disclosure of a vulnerability impacting Anthropic's Claude Google Chrome extension, named as ShadowPrompt, that could have enabled a website to silently inject prompts without being prompted for permission and requiring no clicks from the user.

Google has confirmed that nearly all 3.5 billion users of the world's most used web browser, Chrome, are to receive a security update addressing no less than eight high-risk vulnerabilities. Thankfully, none of these are of the zero-day variety as recently reported, meaning there is no evidence of any of them being exploited by threat actors. There's more good news as well; Chrome applies these updates automatically. Google does, however, warn that the security rollout could take days or weeks to complete, so users are best advised to kickstart the process and get protected as soon as possible. Here's what you need to know and do.

ForbesFBI Issues Alert As Thousands Of Signal Accounts Confirmed HackedBy Davey Winder

What We Know About The New Google Chrome Security Vulnerabilities

Google's Srinivas Sista has confirmed that Chrome is being updated to 146.0.7680.164/165 for Windows/Mac and 146.0.7680.164 for Linux, while Krishna Govind made a similar announcement for Android users, taking the app to version 146.0.76380.164.

Although, as the Google security update confirmation stated, access to the details regarding the eight vulnerabilities will be "kept restricted until a majority of users are updated with a fix," I can tell you that they impact everything from WebAudio, WebGL, WebGPU and CSS, even the Chrome Fonts component has been affected.

The eight security vulnerabilities themselves, all with a high Common Vulnerability Scoring System severity rating, are as follows:

00:20

03:12

Read More

CVE-2026-4673: Heap buffer overflow in WebAudio

CVE-2026-4674: Out-of-bounds read in CSS

CVE-2026-4675: Heap buffer overflow in WebGL

CVE-2026-4676: Use after free in Dawn (part of the WebGPU implementation)

CVE-2026-4677: Out-of-bounds read in WebAudio

CVE-2026-4678: Use-after-free in WebGPU

CVE-2026-4679: Integer overflow in Fonts

CVE-2026-4680: Use after free in FedCM (a privacy-centric identity authentication component)

Why You Need To Update Google Chrome And How To Do It Right Now

I'm not suggesting that the security vulnerabilities that are patched in this latest update to Google Chrome are anywhere near as critical as CVE-2025-20435, which put as many as 875 million Android smartphone users at risk of being hacked while the device was locked and in less than 60 seconds but that doesn't mean you can just sit back and relax. All Common Vulnerabilities and Exposures listed security flaws especially those that get a high severity rating must be taken seriously. So while Chrome will be updated automatically and quite possibly by the time you are reading this there's no guarantee the patch will have reached you yet.

Thankfully there's a way to avoid all doubt and kickstart the process and it's really straightforward taking just a few seconds to do: just go to the Help|About Google Chrome option in the three-dot menu at the top right of the Chrome window. And that's it pretty much.

This will check your version and if any update is available. If so, it will be downloaded and installed. You must relaunch the browser, as Google has made it quite clear, though, that the security update will not be activated unless you do.

ShadowPrompt: Exploiting Google Chrome Extension For 0-Click Prompt Injection

If you want further evidence of the power of prompt (every pun intended) patching and responsible disclosure of security vulnerabilities impacting Chrome users, look no further than the newly published report concerning ShadowPrompt. Oren Yomtov, principal security researcher at Koi has published the full technical analysis of the vulnerability which Anthropic and Arkose Labs have already fixed following the original responsible and private disclosure on December 27, 2025. Another high risk vulnerability this one could have enabled anyone using Anthropic's Claude Google Chrome extension to trigger nefarious AI prompts simply by visiting a malicious website zero clicks required. "No clicks, no permission prompts. Just visit a page and an attacker completely controls your browser," Yomtov confirmed.

The attack chain involved what the report described as an "overly permissive origin allowlist" in the Google Chrome extension along with a cross site scripting vulnerability in an Arkose Labs CAPTCHA component. Yes CAPTCHA again yikes. Please read the full report if you want the technical details behind this one, but rest assured the danger is over as the Chrome extension has already been updated and the XSS vulnerability patched. "If you're using the Claude Google Chrome Extension," Yomtov said, "verify your installed version is 1.0.41 or higher, as earlier versions might still be vulnerable. Go to chrome://extensions, find the Claude extension, and check the version number."