Google released a security update for its Chrome web browser that fixes 21 distinct security issues, including a 0-day issue that is exploited in the wild.
You know the drill: If you run Chrome or have it installed, update asap to close the vulnerabilities and protect your systems from potential attacks.
My preferred way of updating the browser is to run winget upgrade google.chrome.exe from the command line. You can also start it, select Menu > Help > About Google Chrome.
The 21 vulnerabilities have a severity of high or medium. The 0-day vulnerability is CVE-2026-5281, which Google describes as a “Use after free in Dawn”.
Use after free describes memory corruption vulnerabilities that occurs when a program attempts to access sections of computer memory that have already been released back to the system.
Dawn is a WebGPU implementation.
The official description of the vulnerability is the following:
Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page.
The new versions of the browser after installation of the update:
Chrome for Windows: 146.0.7680.177 or 146.0.7680.178
It is this time of the week again. Google has just released a security update for its Chrome web browser to patch two security issues with known attacks in the wild.
The update, which is available for Chrome on all desktop platforms and for Android, addresses two security issues. Google rates both with a severity rating of high.
The first issue is an out of bounds write in Skia, the specialized 2D graphics engine that is responsible for nearly everything that you see on the screen. It draws shapes, renders text, or displays images.
The second vulnerability is an inappropriate implementation in V8, another core component of all Chromium-based browsers. It is Google’s open source JavaScript and WebAssembly engine.
Google writes:
[N/A][491421267] High CVE-2026-3909: Out of bounds write in Skia. Reported by Google on 2026-03-10
[N/A][491410818] High CVE-2026-3910: Inappropriate implementation in V8. Reported by Google on 2026-03-10
Google is aware that exploits for both CVE-2026-3909 & CVE-2026-3910 exist in the wild.
Most unmanaged Chrome installations should receive the update automatically. You can speed it up by loading chrome://settings/help, if Chrome is open. Windows users may also run winget upgrade google.chrome.exe from the command line to upgrade the browser without opening it.
Expect upgrades for other Chromium-based browsers in the coming hours and days as well, as all use the very same components.
Google updates the stable version of its Chrome web browser every week right now. It gets one major version bump, for instance from version 145 to 146, and three point updates. The big update introduces new features and changes plus security updates, the point updates usually only security fixes and major bug fixes.
Google announced a major change to the browser’s release cycle today on the official Chrome for Developers blog. “Starting September 2026, Chrome will move to a two-week release cycle”, writes Google on the blog.
Google continues:
The new release cycle means that a new beta and stable version of Chrome will ship every two weeks, starting from the stable release of Chrome 153 on September 8th. This applies to all platforms—Desktop, Android, and iOS. There will be no changes to the Dev and the Canary channels.
The company explains that this is done to “match the demands of a modern web” by providing developers and users with “immediate access to the latest performance improvements, fixes and new capabilities”. It may also help Google reclaim the (major) browser rank with the highest version, a coveted rank that it lost recently to Mozilla’s Firefox web browser.
The changes apply to stable Chrome on all platforms only. The Extended Stable release is not affected by this. It has a different schedule, as it is updated on an eight-week cycle. Similarly, Beta and Canary channels are also not affected by the change.
While the change may not look like big, as Google retains the number of Chrome releases in a month, it is far from small either. Security updates install without major problems usually, but this can’t be said for a browser release that introduces changes or new features.
With two coming each month, users have to keep a good eye on the changes and better increase the number of backups that they make before installing new software to account for potential issues arising from this.
While I won’t cover all Chrome releases here on Chipp, you can expect me to cover those that are causing major issues.
Google announced three new features for its Chrome web browser on its official The Keyword blog recently. The new features — split view, save to Drive, and annotate — improve the productivity of Chrome users according to Google.
Users of several other browsers may not find the features as exciting as Google, as at least some of the features have been supported by other browsers for some time.
Split View is coming to Chrome
Split View is a typical example of such a feature. It allows you to display two websites next to each other in a single tab. Instead of displaying the two sites in two browser windows next to each other, you may display them in a single window.
This has some advantages, like easier handling as you interact with a single window only. However, there are also some disadvantages, including that only one address is shown in the address bar at a time.
Split View is not a new feature. In fact, Google is late to the party. Microsoft Edge, Vivaldi, Opera or Brave Browser support the mode already. Mozilla has also launched the feature in its Firefox web browser, but it is experimental at the time of writing.
How to use Split View in Chrome
Simply right-click on a tab in the web browser and select “Add tab to new Split View”. Chrome splits the space in half, with the right side empty in the beginning. Just select an open tab, which Chrome displays, type an address or pick a bookmark to load it in the second half.
Chrome displays both open websites in the same tab, but only the URL of the active tab in the address bar.
PDF annotations
If you open PDF documents in Chrome, you can now “highlight text and add notes” to it right in the browser. Google says that this eliminates the need to use a separate application for that.
This is not exactly a new feature either, as both Microsoft Edge and Mozilla Firefox have supported the feature for quite some time.
To use it, open a PDF document in Chrome and click on the draw icon in the toolbar once it is displayed. Here you find the new options to annotate directly to the PDF file.
Save to Drive
This is probably the strangest edition in this feature update. Google is reaching feature parity with Split View and PDF annotations, which is a good reason to introduce the features.
However, Save to Drive is the outlier. It enables you to save PDF documents that you view in Chrome to Google Drive. Google says this keeps important documents backed up in the cloud.
It is not as if this was not possible before already, at least in many cases. If you run Google Drive on your system, you could simply put the file into the Drive folder to store it locally and online. I guess it helps if you do not run the software and want to save PDFs to Drive directly. Saves the step of saving the document locally first before uploading it.
Now You: what is your take on the new features? Something that would make you switch to Google’s browser?
Google has issued an urgent security update for the Chrome desktop browser following the discovery of a high-severity vulnerability being actively exploited in the wild.
The update, which brings the Stable channel to version 145.0.7632.75 or 145.0.7632.76 for Windows and Mac, and 144.0.7559.75 for Linux, specifically addresses a “use after free” flaw within the browser’s CSS engine.
Identified as CVE-2026-2441, the bug was reported by security researcher Shaheen Fazim just days prior, prompting an accelerated rollout to protect users from potential attacks that leverage this exploit to compromise system memory.
Here are the key points from the update:
New Versions: The Stable channel has been updated to 145.0.7632.75/76 for Windows and macOS, and 144.0.7559.75 for Linux.
Zero-Day Patch: The update addresses CVE-2026-2441, a high-severity security flaw classified as a “Use after free” vulnerability in CSS.
Active Threat: Google has confirmed that they are aware of an exploit for this specific vulnerability existing in the wild.
Rapid Response: The bug was reported by researcher Shaheen Fazim on February 11, 2026, just two days before the release of this patch.
Rollout: The update will continue to become available to all users over the coming days and weeks.
How to install the Chrome update
Most unmanaged Chrome installations should receive the update automatically. The browser is configured to install updates automatically by default. Since this does not happen immediately, it is recommended to run a manual check for updates to speed up the process.
Open Google Chrome and select Menu > Help > About Google Chrome to do so. The browser should begin downloading and installing the security update immediately.
Windows users may also run winget upgrade google.chrome.exe to install the update from the command line without opening Chrome at all.
Note that it is highly recommended to upgrade the browser, even if it is not the main browser on the system. In short, if the browser is installed, upgrade it to protect it from potential exploits.
If you are using Chrome and are signed-in to a Google account, you may have received a fair share of requests to sign-in with your account on third-party websites, provided that you do not have an account there already.
The main idea is to make sign ups on third-party sites easier and more secure by using the Google account. Google provides the site with information to set up the account and you decide much of what you want to share and what not. The user password is never provided by Google, which is an advantage.
There are disadvantages: using one account for multiple sites and Google knowing which sites you create accounts on.
The prompts appear on site load and at least some users find them highly annoying. Not everyone wants to (or can) use Chrome without being signed in or switch to another browser. There is another option, but it is hidden deep in the Chrome settings.
How to stop Chrome from showing “Continue As” prompts
Here are the required steps for desktop Chrome:
Enable the block option in the Settings to prevent continue-as-prompts in the future.
Load chrome://settings/content/federatedIdentityApi in the browser’s address bar.
Enable “Block sign-in prompts from identity services” under Default Behavior.
This takes care of the prompts. You can add sites to the allow-list, but this is only useful if you want to create an account on the website using your Google information.
Here are the required steps for mobile Chrome:
In mobile Chrome, you need to open the setting manually.
Open the Settings.
Go to Site Settings.
Tap on Third-party sign-in.
Toggle “Third-party sign-in” so that it is off.
This blocks all future attempts in mobile versions of the Chrome web browser.
Manage existing connections
Google’s support page provides information on managing existing connections. You can review all connections on the third-party connections page on Google’s website.
Switch to the “Sign-In with Google” tab first. Google lists all connections and you may click on the “>” icon to display details. There you may remove it by selecting “Stop using Sign in with Google ” and confirm the decision.
Note that this severs the connection only, but it does not affect the data that the third-party site has accumulated.
What you may do instead
While the option to use your Google account on third-party sites may be convenient, most users may benefit from separating accounts.
Apart from providing Google and the third-party site with additional information, any successful account breach gives the attacker access to not only Google but all other sites with connections.
My suggestion: stick to the one site, one unique account rule, and turn off the prompts, if you do use Chrome and want to stay signed in. (source: Caschys Blog)
Google is officially transforming the web browser from a static tool into an active personal agent with the launch of Gemini 3 and “Auto-Browse” in Chrome, and the push into a personalized AI experience.
Announced yesterday for desktop users, with the exception of Chrome for Linux, this major update integrates Google’s most advanced AI model directly into the browser to handle complex, multi-step tasks.
Google is pushing Gemini with the help of its Chrome browser
Lookout OpenAI, Gemini could get a massive user boost thanks to the integration in the world’s biggest browser.
Here is an overview of the features that Google announced:
Auto-Browse (Agentic Browsing): The flagship feature for AI Pro and Ultra subscribers in the U.S. that performs multi-step “chores” on your behalf. It can research travel costs across dates, fill out complex online forms, file expense reports, or add specific items to a shopping cart based on an image.
Gemini Side Panel: A persistent area in Chrome that supports interactions with the AI without losing focus. It supports the usual AI-features, such as summarizing a page, comparing features across several tabs, or finding time in your calendar.
Integrated “Nano Banana”: The latest version of Google’s image generator is integrated into the browser. Also accessible from the side panel, you can use text prompts for creative tasks, such as turning research data into infographics or manipulating images open in the browser.
Connected Apps Integration: Deeper connectivity with the Google ecosystem, allowing Gemini to pull information from Gmail, Calendar, Maps, and Google Flights to execute workflows (e.g., finding a flight based on an event invitation in your email).
Personal Intelligence: A proactive feature that remembers context from past conversations to provide tailored answers. It learns user preferences over time to transform the browser into a “trusted partner” rather than a general-purpose tool.
Universal Commerce Protocol (UCP) Support: Integration with a new open standard (co-developed with brands like Shopify and Wayfair) that allows AI agents to navigate checkout processes and take commercial actions across different retail sites securely.
Enhanced Security & “Pause and Confirm”: New defenses designed for agentic AI, including a safety mechanism where Auto-Browse must pause and ask for explicit user confirmation before completing sensitive actions.
Closing Words
It is clear that Gemini will get a huge user boost from this. Even if Google limits exposure to certain regions or subscription models at first, it is clear that it will expose as many users as possible to Gemini in Chrome in the long run.
Why? Because it is giving Google an edge over the competition. Plus, when users run into usage limits, they may become paying subscribers, which seems to be on the preferred options right now to increase revenue and compensate expenses.
The benefit for users invested in Google’s ecosystem is there, especially if you connect the AI to other Google services. Whether you really want that, an all-knowing AI that may know more about your desires, life and plans than your closest friends, is up for you to decide.
I see the benefits, but also the dangers. While I do use AI tools for some tasks, such as creating a teaser image for an article here or the weekly newsletter, I do not really see a benefit in letting AI do the shopping for me, even with all safeguards in place.
Several Chrome and Microsoft Edge extensions, designed to protect users online, were discovered to include AI harvesting code that captured, among other things, every AI prompt and response made in the browser it was installed in.
Security researchers at KOI discovered Urban VPN Proxy by chance. The Chrome extension had over 6 million users, a 4.7 star rating at the Chrome web store, and a featured badge by Google.
Featured meant that Google reviewed the extension manually to ensure that it follows “technical best practices” and meets “a high standard of user experience and design”.
The makers of the extension, which was also installed by over 1.3 million Microsoft Edge users via Microsoft’s own extensions store, promised unhindered access to any website and the unblocking of content.
According to KOI, the extension did not always have AI harvesting functionality baked into it. This started on July 9, 2025 with the release of version 5.5.0. It shipped with AI harvesting enabled by default.
This meant that AI interactions of any user who updated the extension to the new version or installed it anew were collected.
KOI says the following gets captured:
Every prompt you send to the AI
Every response you receive
Conversation identifiers and timestamps
Session metadata
The specific AI platform and model used
The extension supports ten major AI platforms, including ChatGPT, Gemini, Claude, Microsoft Copilot, Grok, Meta AI, Perplexity, and DeepSeek, according to KOI.
It injects scripts into the AI platform’s website whenever a supported site is loaded in the browser. From there, it manipulates browser functions to route all network requests through itself. These requests get parsed and then exfiltrated by a background service worker.
A quick search for extensions that use the same code revealed three additional extensions, available on both the Chrome and the Microsoft Edge web store.
These are 1ClickVPNProxy, Urban Browser Guard, and Urban Ad Blocker. All eight extensions have an accumulated user count of over 8 million.
How could this have been prevented?
Unlike Mozilla, which reviews the updates of featured extensions for Firefox as well, neither Google nor Microsoft seem to do that. This is a loophole that gets exploited over and over again: create or buy a harmless extension that is useful, get the feature badge by passing the manual review, and release an update with malware code later on, as (some?) updates seem to be accepted automatically.
So, if you use extensions, Firefox is the safer bet, but only for featured extensions. This has downsides of its own, including that it takes longer before updates become available.
Google released Chrome 142 to the stable channel recently with just a few changes that it revealed publicly. Noteworthy is a new permission that regulates access to local resources. Basically, users will see a prompt going forward, if a website or application attempts to access a resource on the local network.
It turns out that Google is also rolling out a new tab feature gradually to all users. Split View allows users to display two websites or apps in Chrome side by side in the same browser window.
All you need to do for that is to right-click on the first tab and select the option “move tab into split view”. If you want, you can also select to move it to the left or right location in split view directly.
Google Chrome then displays the list of other tabs open in the browser, so that you can pick one for the other half.
Tip: You can enable the feature right away in Chrome, if you like. Just load chrome://flags/#side-by-side in the Chrome address bar and change the status of the feature to Enabled. Restart Chrome, and the new context menu option becomes available when you right-click on tabs.
Split View: pros and cons
So what is the advantage of Split View compared to using two browser windows? The main advantage is that both websites are displayed in a single browser. You can display, move, hide, or close them at once, while you would have to juggle with two windows if you’d display the two websites in two Chrome instances. You can be sure also that both windows are always visible, when the browser window is active.
However, there are also some disadvantages. You can only see one of the URLs at the same time in the Chrome window. It changes when you activate the website in the inactive half, but it is still worth considering that you don’t see the address all the time.
Google is late to the party
Split View is not a particularly new feature. Vivaldi, for instance, has supported it for years and even gives users multiple layout options that go beyond displaying two sites side-by-side or split horizontally.
Most web browsers display warning messages when you attempt to load a website that does not use HTTPS, the secure version of the HTTP protocol, or when a site has misconfigured HTTPS.
Starting in October 2026, Chrome will make HTTPS the default for all connections in the browser. Means, whenever you visit a site that does not use it or has configuration issues, you will get a prompt.
“This site doesn’t support a secure connection” is displayed in that case. The prompt includes quite a bit of text explaining why that is bad. However, Chrome displays two options to the user in that case.
The first, “go back” returns to the previous site or the new tab page, depending where you started your request. The second, “continue to site” still allows you to visit the site in question.
The planned change makes the optional feature “always use secure connections” mandatory once it lands next year. Since the feature is available already, albeit as an optional preference, it is possible to enable it right away to see what it does. Ideal for testing purposes.
Here is how you enable it (or disable it again):
Load chrome://settings/security in the browser’s address bar. You can also select Menu > Settings > Privacy and Security manually, if you prefer that.
Scroll down to the Secure connections section.
Toggle “Always use secure connections” here to enable or disable the feature.
When you enforce HTTPS, you will receive security prompts whenever something is loaded in Chrome that does not use HTTPS.
Google says that non-HTTPS traffic has dropped significantly, but that HTTPS has plateaued at about 95% of all sites. The main driver for insecure traffic, according to Google, is navigations to private sites that are insecure. While less risky than navigations to insecure public sites, attackers may exploit them either way.
Google predicts that the actual warning volume in Chrome will get lower once it lands the change in the browser and sites start moving towards HTTPS even more than before.
It will certainly make it more difficult for users to access sites that do not use HTTPS and do not plan on migrating, for whatever reason.
Now You: have you visited sites that do not use HTTPS in the recent past, or have all of your sites that you visit switched to HTTPS already? Feel free to leave a comment down below.
