Chrome users are currently at risk from multiple zero-day vulnerabilities in the browser, including the recently patched CVE‑2026‑0628 in WebView and earlier high-severity flaws like CVE‑2025‑4664 (Loader), CVE‑2025‑10585 (V8 engine), and several others actively exploited in the wild. These vulnerabilities have allowed attackers to bypass sandbox protections, execute arbitrary code, and leak sensitive data, putting billions of users at risk unless they update immediately.
Why Chrome Zero-Days Matter
When a zero-day flaw is found in Chromium-based systems like Chrome, Edge, or Brave, attackers can exploit it before developers can release a patch. Given Chrome’s massive user base—over three billion users—these vulnerabilities can quickly become widespread threats, especially because they often allow remote code execution or sandbox escapes without user interaction.
Notable Vulnerabilities and Exploits
CVE‑2026‑0628: WebView Policy Enforcement
Google patched this recent high-risk vulnerability in January 2026. The WebView component failed to enforce origin policies, so a malicious extension could inject script or HTML into privileged pages . While there are no current reports of active exploitation, security analysts urge users to update browser versions 143.0.7499.192/193 (Windows/macOS) or 143.0.7499.192 (Linux) immediately . As journalist Davey Winder warns: “should an attacker actually exploit this vulnerability… update now. Today, if at all possible.”
CVE‑2025‑4664: Loader Policy Bypass
Patched in early 2026, this vulnerability stemmed from inadequate policy enforcement in Chrome’s loader, potentially allowing unauthorized code execution or data leaks via HTML-based attacks . Google acknowledged active exploitation and pushed updates in versions 136.0.7103.113/.114 .
V8 Engine Exploits: Type Confusion and Memory Corruption
Multiple zero-days targeted Chrome’s JavaScript engine in 2025:
- CVE‑2025‑10585 — A type-confusion bug that allowed heap corruption and arbitrary code execution just by visiting a malicious page. It was Google’s sixth confirmed Chrome zero-day of 2025, patched in version 140.0.7339.185/.186 .
- CVE‑2025‑6554, CVE‑2025‑5419, CVE‑2025‑6558, and others — Exploited in the wild through V8 or WebAssembly flaws, allowing sandbox escapes and malicious activity with minimal user interaction .
Collectively, these incidents highlight a disturbing pattern: sophisticated, stealthy attacks targeting browser internals to bypass defenses.
CVE‑2025‑2783: Operation ForumTroll
In March 2025, Kaspersky revealed that clicking a phishing link targeting media and government entities triggered a zero-day exploit (CVE‑2025‑2783) that immediately bypassed Chrome’s sandbox—no further user interaction needed . Known as “Operation ForumTroll,” the campaign was linked to state-sponsored espionage .
Real-World Impacts and Industry Context
These attacks often target high-value sectors—media, government, education—with espionage motives. The sophistication of the exploits, many requiring only a click, underscores the critical need for vigilance. Chrome’s automatic update mechanism helps, but manual checks are frequently recommended due to the fast weaponization of disclosed flaws.
“The exploit bypassed Chrome’s sandbox protection without performing any obviously malicious operations—it’s as if the security boundary simply didn’t exist.”
— Boris Larin, Principal Security Researcher, Kaspersky GReAT
This quote reflects the unprecedented technical subtlety driving these attacks, reinforcing that even minor code misfires can yield major breaches.
Summary of Chrome Zero-Day Timeline (2025–2026)
- March 2025: CVE‑2025‑2783 exploited in “Operation ForumTroll” espionage campaign .
- Mid‑2025: Multiple V8/WebAssembly zero-days (CVE‑2025‑5419, CVE‑2025‑6554, etc.) actively used .
- Sept 2025: CVE‑2025‑10585 patched, first acknowledged V8 type-confusion zero-day exploited in the wild .
- Jan 2026: CVE‑2025‑4664 patched; confirmed active exploitation .
- Jan 2026: Latest patch for CVE‑2026‑0628 (WebView) released; users urged to update .
Conclusion and Takeaway
Chrome users remain at risk from advanced zero-day vulnerabilities due to the browser’s widespread adoption and the ingenuity of attackers. With threats ranging from policy bypasses in WebView to type confusion in V8, it’s far from safe territory. Updates must be applied without delay—ideally as soon as patches are released.
Security teams should enforce automated updates, monitor for unusual browser behavior, and educate users about phishing risks. Regular threat briefings can help anticipate the next wave of browser-centric attacks.
FAQs
Why do zero-day vulnerabilities in Chrome get patched so frequently?
Chrome protects a vast user base and evolves rapidly. Attackers exploit even minor flaws using zero-days, prompting frequent patches to stem escalating threats.
Does updating Chrome immediately really help?
Absolutely. Most exploits become weaponized immediately after discovery. Updating quickly ensures you’re protected before attackers can exploit the flaw.
Do zero-days require user interaction?
Often no. Many are triggered by simply visiting a malicious web page, known as drive-by attacks. That’s why patches are vital.
Are Chrome’s sandbox protections effective?
Generally, yes—but not infallible. Several zero-days have bypassed sandbox defenses, affirming that multi-layered defenses are essential.
Does this issue affect other Chromium browsers?
Yes. Any zero-day in Chrome’s core often impacts Edge, Brave, Opera, and other Chromium-based browsers, so they too must update promptly.
How can organizations monitor zero-day threats more effectively?
By subscribing to threat intelligence feeds, implementing behavior-based monitoring, and conducting proactive patch management, organizations can reduce exposure to rapidly emerging threats.
