Chrome fixes 31 flaws

Google pushed a Chrome security update on April 15 that fixes 31 vulnerabilities in Windows, Mac, and Linux builds now rolling out as version 147.0.7727.101/102 and 147.0.7727.101. (chromereleases.googleblog.com) Web browsers process untrusted code from every site you visit, so memory bugs can turn a webpage into a path for crashing the browser or running attacker-controlled code. Google’s April 15 release lists 31 security fixes, including five marked “Critical.” (chromereleases.googleblog.com) The critical bugs span core graphics and rendering components: a heap buffer overflow in ANGLE tracked as CVE-2026-6296, a use-after-free in Proxy as CVE-2026-6297, a heap buffer overflow in Skia as CVE-2026-6298, a use-after-free in Prerender as CVE-2026-6299, and a use-after-free in XR as CVE-2026-6358. Google’s post also lists a $90,000 reward for the ANGLE report and $10,000 for the Proxy bug. (chromereleases.googleblog.com) A “use-after-free” flaw means Chrome keeps using a piece of memory after it has been released, like writing on a note after it has been thrown away and replaced. NIST says an earlier April Chrome bug, CVE-2026-5861 in the V8 JavaScript engine, could let a remote attacker execute arbitrary code inside Chrome’s sandbox through a crafted HTML page. (nvd.nist.gov) Google said details for some bugs will stay restricted until “a majority of users are updated with a fix.” That is standard practice in Chrome release notes, which also warn that restrictions can stay in place when a third-party library used by other projects has not yet been patched. (chromereleases.googleblog.com) The April 15 patch landed eight days after Google promoted Chrome 147 to stable on April 7. That earlier 147 release included two critical Web Machine Learning flaws and a long list of high-severity bugs in WebRTC, V8, WebAudio, Blink, ANGLE, and other components. (chromereleases.googleblog.com) Chrome’s release system is built for frequent security fixes: the Chromium project says Stable gets minor updates every week and major updates every four weeks. That cadence is why enterprise teams often test browser updates quickly and then push them through managed deployment tools instead of waiting for a monthly patch cycle. (chromium.org) Android is getting the same security fixes as the matching desktop release unless Google notes otherwise, and ChromeOS is on a separate browser version this week. For desktop users, the immediate check is whether Chrome has moved to 147.0.7727.101 or.102, because Google said the rollout will happen over the coming days and weeks. (chromereleases.googleblog.com)