// #browser-security
8 articles
Managing Chrome V8 Zero-Days in Enterprise Fleets: Browser Asset Inventory and Rapid Update Strategies
CVE-2026-11645's active exploitation before the patch highlights a persistent gap in enterprise browser management: many organisations do not maintain accurate browser version inventories or have the ability to push browser updates faster than the standard monthly patch cycle. This guide covers Chrome fleet management, version enforcement, and emergency update deployment.
Google Chrome Zero-Day CVE-2026-11645: V8 Out-of-Bounds Write Actively Exploited Before Patch
Google has released Chrome 149.0.7762.95 patching CVE-2026-11645, an out-of-bounds write in the V8 JavaScript engine that was actively exploited before disclosure. CISA has added the flaw to the Known Exploited Vulnerabilities catalogue. All users and enterprise deployments should update immediately — CISA's federal deadline is 30 June.
Microsoft Reverses Course on Edge Plaintext Password Exposure — Update Will Prevent Loading Saved Passwords into Process Memory
Following disclosure on 11 May that Microsoft Edge loads saved passwords as plaintext into process memory at startup, Microsoft confirmed it will release a patch preventing password data from being loaded into memory outside of active use contexts. The fix addresses the specific vulnerability class that allows process memory dumpers to extract Edge-saved credentials without user interaction.
Microsoft Edge Stores Saved Passwords as Plaintext in Process Memory — No CVE, No Patch
Security researchers have documented that Microsoft Edge's built-in password manager stores user-saved passwords in cleartext within the browser's process memory — readable by any process on the same system with the ability to dump Edge process memory. Microsoft has acknowledged the behaviour and characterised it as a performance design decision, not a vulnerability warranting a security fix. Users relying on Edge's password manager for credential storage should understand what this means for their threat model.
Firefox and Tor Browser CVE-2026-6770 — IndexedDB Cross-Origin Data Leak Exposes User Browsing Identity
A cross-origin data leakage vulnerability in Firefox and Tor Browser's IndexedDB implementation allows a malicious web page to read data stored by other origins in the IndexedDB API — potentially identifying users by their stored browsing data and breaking the origin isolation that Tor Browser's anonymity model depends on. CVE-2026-6770 is fixed in Firefox 130.0.1 and a Tor Browser update. Tor Browser users should update immediately given the privacy implications.
108 Malicious Chrome Extensions Exfiltrating Browser Data Removed from Web Store
Google has removed 108 extensions from the Chrome Web Store after researchers identified a coordinated malicious extension campaign conducting browser credential harvesting, session cookie theft, and clipboard monitoring across millions of installations. The extensions impersonated productivity tools, ad blockers, and security tools — with some active for over 18 months before detection. Enterprise Chrome deployments should audit installed extensions against the published IOC list.
Google Patches Fourth Chrome Zero-Day of 2026 — CVE-2026-5281 Use-After-Free in WebGPU
Google has patched CVE-2026-5281, a use-after-free vulnerability in Chrome's Dawn WebGPU implementation that is being actively exploited in the wild. This is the fourth Chrome zero-day exploited in attacks in 2026. CISA added it to the KEV catalogue on 1 April with a deadline of 15 April for federal agencies. Update to Chrome 146.0.7680.177/178.
Google Patches Two Actively Exploited Chrome Zero-Days — CISA Orders Federal Agencies to Update by 27 March
Google released an emergency Chrome update on 13 March addressing two zero-day vulnerabilities — an out-of-bounds write in Skia and a V8 sandbox escape — both confirmed as exploited in the wild. CISA added both to the Known Exploited Vulnerabilities catalogue the same day with a 27 March federal remediation deadline.