Critical Multiple Zero‑Day Flaws in Google Chrome Enable Arbitrary Code Execution
What Happened – CIS disclosed 18 newly identified vulnerabilities in Google Chrome (CVE‑2026‑6296 through CVE‑2026‑6364). The most severe flaw permits arbitrary code execution in the context of the logged‑on user, potentially allowing privilege escalation, data manipulation, or account creation. No public exploitation has been observed yet.
Why It Matters for TPRM –
- Browser flaws can be leveraged to compromise any endpoint that accesses the vendor’s web services, expanding the attack surface of downstream partners.
- High‑risk ratings for large government and enterprise environments indicate a material impact on critical third‑party operations.
- Prompt patching is essential to maintain the security posture of SaaS integrations that rely on Chrome for authentication or data entry.
Who Is Affected – Enterprises, government agencies, and service providers that allow employees to use Chrome on Windows, macOS, or Linux workstations; especially those with administrative‑level user accounts.
Recommended Actions –
- Verify that all Chrome installations are updated to version 147.0.7727.101 or later.
- Enforce least‑privilege policies on user workstations; restrict admin rights where possible.
- Deploy web‑filtering rules to block known malicious drive‑by sites until patches are applied.
- Review third‑party risk registers for any dependencies that embed Chrome (e.g., remote‑desktop tools, web‑based SaaS portals).
Technical Notes – The vulnerabilities span heap buffer overflows, use‑after‑free bugs, type‑confusion errors, and out‑of‑bounds reads/writes across components such as ANGLE, Skia, V8, and PDFium. Exploitation would follow a drive‑by compromise (ATT&CK T1189). No CVEs have been reported in the wild. Source: CIS Advisory 2026‑037