Critical Chrome Vulnerability Under Active Exploitation
Google has released an emergency security update for Chrome after discovering a critical zero-day vulnerability that is being actively exploited by threat actors. The vulnerability, tracked as CVE-2026-3047, affects all versions of Chrome prior to 134.0.6998.89 and could allow attackers to execute arbitrary code on a victim's computer simply by visiting a malicious website.
With approximately 3.2 billion users worldwide, Chrome is the most widely used web browser, making this one of the most impactful zero-day disclosures in recent memory.
What Is the Vulnerability?
CVE-2026-3047 is a use-after-free vulnerability in Chrome's V8 JavaScript engine — the same component that processes JavaScript code on every webpage you visit. The technical details:
- Type: Use-after-free in V8 garbage collector
- Severity: Critical (CVSS 9.8/10)
- Attack vector: Visiting a specially crafted webpage — no user interaction beyond navigation required
- Impact: Remote code execution — an attacker could install malware, steal data, or take full control of the affected system
- Exploitation status: Actively exploited in the wild
"Google is aware that an exploit for CVE-2026-3047 exists in the wild. We urge all Chrome users to update immediately," Google stated in its security advisory.
Who Discovered It?
The vulnerability was discovered by researchers at Google's Threat Analysis Group (TAG) during an investigation into a sophisticated cyber-espionage campaign targeting government officials, journalists, and human rights activists in multiple countries. TAG attributes the exploitation to a state-sponsored threat actor, though the specific nation-state has not been publicly identified.
The exploit was being delivered through spear-phishing emails containing links to legitimate-looking but compromised websites. Victims who clicked the links and visited the page in Chrome were silently compromised — no additional interaction was needed.
How to Update Chrome
Updating Chrome is straightforward and takes less than a minute:
- Desktop (Windows, Mac, Linux): Click the three-dot menu in the top-right corner, go to Help, then About Google Chrome. Chrome will automatically check for and install the update. Restart the browser to apply.
- Android: Open the Google Play Store, search for Chrome, and tap Update
- iOS: Open the App Store, search for Chrome, and tap Update
- Chromebook: Go to Settings, About ChromeOS, and check for updates
After updating, your Chrome version should be 134.0.6998.89 or later.
Are Other Browsers Affected?
Because the vulnerability is in the V8 engine, which is used by all Chromium-based browsers, the following browsers are also affected and should be updated:
- Microsoft Edge (update to 134.0.3109.44 or later)
- Brave (update to 1.74.51 or later)
- Opera (update to 116.0.5389.37 or later)
- Vivaldi (update pending — use with caution until patched)
Safari and Firefox are not affected, as they use different JavaScript engines (JavaScriptCore and SpiderMonkey, respectively).
Broader Context
This is the fourth Chrome zero-day discovered in 2026, continuing a troubling trend. In 2025, Google patched 10 zero-day vulnerabilities in Chrome, and the pace is accelerating. The increasing discovery rate reflects both the growing sophistication of state-sponsored attackers and improved detection capabilities by Google's security teams.
For everyday users, the message is simple: keep your browser updated. Automatic updates are enabled by default in Chrome, but they only take effect when you restart the browser. If you are someone who keeps dozens of tabs open for weeks at a time, now would be an excellent time to restart.
