By rssfeeds-admin 
The release follows responsible disclosure from independent security researchers and internal Google teams, with bug bounty rewards reaching up to $33,000 for a single flaw.
Users are strongly encouraged to update their browsers immediately, as access to full bug details remains restricted until a majority of the user base receives the fix.
Critical and High-Severity Vulnerabilities
Three of the ten patched flaws carry a Critical severity rating. The most notable is CVE-2026-3536, an integer overflow in Chrome’s ANGLE graphics layer, reported by researcher cinzinga on February 18, 2026, which earned a $33,000 bounty.
A second critical flaw, CVE-2026-3537, involves an object lifecycle issue in PowerVR, reported by Zhihua Yao of KunLun Lab on January 8, earning $32,000. The third critical bug, CVE-2026-3538, is an integer overflow in the Skia graphics engine, reported by Symeon Paraschoudis on February 17.
The remaining seven vulnerabilities are rated High severity and span a range of Chrome subsystems, from V8 and WebAssembly to CSS and Navigation.
| CVE ID | Severity | Component | Type | Reporter |
|---|---|---|---|---|
| CVE-2026-3536 | Critical | ANGLE | Integer Overflow | cinzinga |
| CVE-2026-3537 | Critical | PowerVR | Object Lifecycle Issue | Zhihua Yao, KunLun Lab |
| CVE-2026-3538 | Critical | Skia | Integer Overflow | Symeon Paraschoudis |
| CVE-2026-3539 | High | DevTools | Object Lifecycle Issue | Zhenpeng (Leo) Lin, depthfirst |
| CVE-2026-3540 | High | WebAudio | Inappropriate Implementation | Davi Antônio Cruz |
| CVE-2026-3541 | High | CSS | Inappropriate Implementation | Syn4pse |
| CVE-2026-3542 | High | WebAssembly | Inappropriate Implementation | qymag1c |
| CVE-2026-3543 | High | V8 | Inappropriate Implementation | qymag1c |
| CVE-2026-3544 | High | WebCodecs | Heap Buffer Overflow | c6eed09fc8b174b0f3eebedcceb1e792 |
| CVE-2026-3545 | High | Navigation | Insufficient Data Validation |
The breadth of affected components, spanning graphics rendering (ANGLE, Skia, PowerVR), JavaScript execution (V8), multimedia (WebAudio, WebCodecs), and web standards (CSS, WebAssembly), reflects the wide attack surface modern browsers expose, according to the Google advisory.
Integer overflow and heap buffer overflow bugs, in particular, are frequently exploited to achieve remote code execution or sandbox escapes.
Google uses several automated detection tools in its development pipeline, including AddressSanitizer, MemorySanitizer, libFuzzer, and AFL, which help catch memory safety issues before they reach the stable channel.
Recommended actions:
- Update Chrome immediately by navigating to Settings → Help → About Google Chrome
- Enterprise admins should push the update via policy to all managed endpoints
- Monitor the Chrome Security Page for full CVE disclosures once the rollout is complete
- Report new issues directly via crbug.com
Google has not disclosed any evidence of active exploitation for any of the ten vulnerabilities at this time, but the Critical ratings make prompt patching a priority for all Chrome users across platforms.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Google Releases Emergency Chrome Update to Fix 10 Security Vulnerabilities appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.