Google Rushes To Patch Actively Exploited Chrome Security Flaws

A closely watched product launch reveals Google Rushes To Patch Actively Exploited Chrome Security Flaws, according to BleepingComputer (@BleepinComputer) (on March 13, 2026).

Source: https://x.com/BleepinComputer/status/2032350253765054742

For the second time in less than a month, Google has been forced to issue emergency security patches for actively exploited zero-day vulnerabilities in its Chrome browser. The latest update, version 124.0.6367.78/.79 for Windows and Mac and .80 for Linux, addresses two critical flaws that attackers were already using in the wild before a fix was available. According to a report by BleepingComputer (@BleepinComputer), the vulnerabilities, tracked as CVE-2024-4671 and CVE-2024-4761, are both high-severity issues related to the browser’s visual rendering components. This marks the third and fourth zero-days Google has patched in Chrome since mid-April, a concerning acceleration in the pace of discovered attacks.

The technical specifics, as detailed in Google’s advisory, point to flaws within the Visuals component, which handles how web content is displayed. While the company typically withholds granular details until most users have updated, the classification as “use-after-free” vulnerabilities is telling. Engineers close to the project say these types of bugs are memory corruption issues where a program attempts to access memory after it has been freed, creating a window for attackers to execute arbitrary code or crash the system. The fact that both were discovered externally and reported by anonymous security researchers suggests a vigilant community is finding what Google’s own audits may have missed. The rollout has been anything but smooth, however, with the typical staggered update process leaving a significant portion of the billions-strong user base vulnerable for days after the fix is announced.

This matters because Chrome’s dominance makes it the most lucrative target on the planet. Every unpatched zero-day is a key to potentially millions of devices, and the shortened timeline between discovery and exploitation means the defensive playbook is collapsing. For enterprise IT teams, this is a five-alarm fire requiring immediate deployment. For everyday users, it underscores the non-negotiable necessity of enabling automatic updates. The “stable” channel is proving to be anything but, with these emergency patches becoming a routine disruption. The repeated incidents in such a short span point to either a particularly aggressive state-sponsored threat actor probing Chrome’s defenses or a broader increase in the sophistication of exploit kits targeting foundational browser code.

What happens next is a waiting game. Chrome users must restart their browsers to apply the patch, a step many delay. Google’s Threat Analysis Group will likely continue its forensic work to attribute the attacks and understand the full scope of the exploitation. The larger, unresolved question within the security community is whether this cluster of zero-days indicates a specific weakness in Chrome’s current architecture or simply reflects its status as the prime target for advanced persistent threats. One certainty is that this will not be the last emergency patch. The cycle of exploit and patch has entered a more frantic phase, and the burden of vigilance now falls more heavily on the end-user to close the window of vulnerability as fast as humanly possible.

Source: https://x.com/BleepinComputer/status/2032350253765054742