If you spend any time online, Chrome is probably already on your phone or computer — and that makes you part of a very large target pool. Google patches security flaws constantly, but recent disclosures show that even actively exploited vulnerabilities can sit in your browser for days before you get the fix. The good news is Chrome has built-in tools designed to catch problems before they catch you.

4 related posts

Vulnerabilities Patched in December 2025: 30 (4 Critical) · Chrome Users Affected: 3.4 billion · Recent High-Severity Flaw: Digital Credentials (Dec 2025) · Chrome Safety Check Feature: Built-in on Android · Vulnerability Reward Program: Active via Bug Hunters

Quick snapshot

1Confirmed facts
2What’s unclear
3Timeline signal
  • The March 2026 Android bulletin included 129 vulnerabilities, including a Qualcomm zero-day already being exploited on 235 chipsets (TechRadar security coverage)
4What’s next
  • Android 16 users gain Advanced Protection in Chrome, enforcing HTTPS, Full Site Isolation, and disabling V8 JavaScript optimizers to block roughly half of exploit paths (BleepingComputer security news)

Key patch dates and affected versions show the scope of the Android security response.

Label Value
Latest Patch Date December 2025 (30 vulns)
Critical Flaws 4
Affected Platforms Desktop, Android
Official Safety Tool Chrome Safety Check
Desktop Fix Version 146.0.7680.80
Android Fix Version 146.0.76380.119
Android Patch Levels 2026-03-01, 2026-03-05
CVE-2026-21385 Severity 7.8/10

Is Google Chrome safe to use now?

Chrome 146 addressed two actively exploited vulnerabilities — CVE-2026-3910 in the V8 JavaScript engine and CVE-2026-3909 in the Skia graphics library. Google confirmed that exploits for both exist in the wild, meaning attackers were already using these flaws before the patch dropped (Bitdefender security analysis). The desktop version fixed is 146.0.7680.80; Android users need version 146.0.76380.119 or higher.

Recent vulnerability patches

The pace of Chrome security updates has been relentless. December 2025 brought 13 fixes including a high-severity use-after-free flaw in Digital Credentials (CVE-2025-13633), affecting Chrome 143.0.7499.41. One month later, Chrome 144.0.7559.59/60 patched 10 more vulnerabilities — three high-severity in V8 — on January 13, 2026 (Secure.com cybersecurity blog). The pattern is consistent: V8 keeps showing up in Chrome patch logs because its optimizations are a recurring attack surface.

Built-in safety features

Chrome on Android includes Safety Check, a built-in scanner that runs automatically through the Settings menu. It checks whether your passwords have been compromised, whether Safe Browsing is active, whether Chrome is up to date, whether you have unwanted notifications enabled, and whether any site permissions have gone stale. To run it manually: open Chrome, tap More, then Settings, then Safety check (Google Chrome Help documentation).

The upshot

Safety Check runs without third-party software and notifies you directly through Chrome’s new tab page when it finds problems — giving Android users a free, built-in security layer.

How do I check if my Google Chrome has a virus?

Chrome itself doesn’t host viruses, but it can be a gateway for malware — through compromised extensions, malicious redirects, or phishing pages. The browser has two built-in lines of defense: Safe Browsing and Safety Check.

Use Chrome Safety Check

Open Chrome on Android and navigate to More > Settings > Safety check. Chrome will scan for compromised passwords, check your Safe Browsing status, confirm you have the latest version installed, and flag any unused site permissions that could be exploited (Google Chrome Help documentation). Safety Check also reminds you to update Chrome whenever a security patch is available, closing the window between disclosure and your protection.

Scan for malware

Chrome’s Safe Browsing feature checks URLs against Google’s blocklist in real time. When you visit a suspicious site, Chrome displays a “Dangerous site” warning. Android devices also have Play Protect, which scans for threats through the Google Play Store (Google Chrome Help documentation). For more aggressive scanning, third-party antivirus tools can supplement Chrome’s built-in protection — particularly useful if you sideload apps or use extensions from outside the Play Store.

Why this matters

Play Protect runs passively in the background on Android and catches malware that arrives through app downloads — a layer Chrome alone cannot provide.

Is there a security issue with Chrome?

Yes — and the scope is significant. Google’s March 2026 Android security bulletin covered 129 vulnerabilities across the platform, including CVE-2026-21385 — a 7.8/10 severity flaw in Qualcomm chipsets that was already being exploited in the wild by the time the patch shipped. The vulnerability affected 235 different Qualcomm chipset models (TechRadar security coverage). Qualcomm first spotted the flaw on December 18, 2025, and formally notified customers on February 2, 2026.

Latest flaws fixed

Chrome 146 for desktop fixed CVE-2026-3910 (V8 inappropriate implementation) and CVE-2026-3909 (Skia out-of-bounds write). The same vulnerabilities were patched in Chrome 146 for Android — version 146.0.76380.119 — while Chrome on iOS remained unaffected (Bitdefender security analysis). Pixel devices received the March Android patch first (levels 2026-03-01 and 2026-03-05), with Samsung, Xiaomi, and other OEMs following weeks or months later due to Android’s fragmentation challenge.

Arbitrary code execution risk

The Qualcomm zero-day (CVE-2026-21385) earned a 7.8/10 severity rating and allowed remote code execution with no additional user privileges required. Google stated there were “indications” of limited targeted exploitation before the patch arrived (TechRadar security coverage). The December 2025 Chrome update (version 143.0.7499.41) also addressed CVE-2025-14372 — a use-after-free flaw in Chrome’s Password Manager reported on November 14, 2025 by researcher Weipeng Jiang of VRI (Infosecurity Magazine news report).

What to watch

V8 appears in nearly every Chrome patch cycle. Disabling V8 JavaScript optimizers — available through Android’s Advanced Protection — could have mitigated roughly half of exploited bugs, Google estimates, with minimal performance impact on most sites.

What is safer than Google Chrome?

Privacy-focused browsers like Brave have gained traction as alternatives that block trackers by default and don’t build a browsing profile for advertising purposes. Brave’s engine is Chromium-based, meaning it shares Chrome’s security foundation while reducing the attack surface from Google’s data collection (Malwarebytes blog report). For users with specific security needs, specialist outlets like CloudSEK publish annual lists of the most secure browsers, ranking alternatives based on sandboxing, update frequency, and privacy defaults.

Brave browser alternative

Brave blocks ads and trackers by default, shields your IP address, and defaults to HTTPS Everywhere connections. Unlike Chrome, it doesn’t sync browsing data across Google’s servers, removing a potential attack vector for credential theft.

Top secure browsers 2026

Mozilla Firefox continues to score well in independent security audits for its open-source codebase and rapid vulnerability patching. Waterfox and LibreWolf offer hardened Firefox forks with additional privacy stripping. For enterprise users, Chrome’s Enhanced Protection mode — available in Android 16 — offers the tightest integration with Chrome’s security infrastructure while adding Safe Browsing Live Threat Protection.

Comparing browser security features reveals trade-offs between convenience and protection.

Browser Security Focus Update Model
Google Chrome V8 hardening, Advanced Protection, Safe Browsing Auto-update, 4-week cycle
Brave Tracker blocking, IP shielding, no Google sync Chromium-based, regular merges
Mozilla Firefox Open-source codebase, sandboxing Independent rapid releases
Edge SmartScreen, sandboxed tabs Auto-update via Windows

Is Chrome safe from hackers?

Chrome’s security posture is strong when updated, but no browser is completely immune. Google runs one of the industry’s largest vulnerability reward programs — Bug Hunters — which paid out over $12 million in 2025 for reported flaws. The program has directly contributed to patches for several zero-day vulnerabilities disclosed in the past year (Malwarebytes blog report).

Update to latest version

On desktop, Chrome auto-updates when you relaunch the browser. To trigger a manual update, go to Settings > About Chrome — Chrome will download and install any pending patches before the next restart. On Android, the same path applies, but OEM-delivered updates may lag behind Google’s release schedule depending on your device manufacturer.

Privacy settings

Chrome’s Android settings include options to always use secure connections (forcing HTTPS), warn if a saved password appears in a breach, use secure DNS, and manage V8 security settings. Safety Check surfaces which of these settings are active and flags gaps in your protection profile (Google Chrome Help documentation).

The catch

Android fragmentation means that even after Google releases a patch, Samsung, Xiaomi, and other OEMs may take weeks to push it to your device — leaving non-Pixel users exposed longer.

How to run a Chrome security check

  1. Open Chrome on Android and tap the three-dot menu in the top-right corner
  2. Scroll down and select Settings
  3. Tap Safety check under the Security section
  4. Chrome will display the status of each check: compromised passwords, Safe Browsing, Chrome version, and site permissions
  5. Address any items marked with a warning — tap through each to resolve or update

The pattern shows that users who complete these steps regularly reduce their exposure window significantly.

Bottom line: Chrome is as safe as your last update. With 3.4 billion users globally, even short delays in patching create massive exposure windows for attackers.

Upsides

  • Safety Check is free, built-in, and requires no third-party software
  • Chrome auto-updates on desktop within hours of a patch release
  • Advanced Protection (Android 16+) disables V8 optimizers that attackers frequently exploit
  • Google’s Bug Hunters program crowdsources vulnerability discovery at scale
  • Safe Browsing Live Threat Protection in Advanced Protection mode offers real-time site blocking

Downsides

  • Android OEM fragmentation delays patches for non-Pixel devices by weeks or months
  • iOS Chrome does not benefit from Android-specific patches like CVE-2026-3909/3910, creating platform confusion
  • Disabling V8 optimizers can slightly reduce page load performance on graphics-heavy sites
  • Full Site Isolation — a key hardening measure — is only enabled by default on devices with more than 4GB RAM under Advanced Protection
  • Safety Check notifications appear on the new tab page, which some users may never visit

What experts are saying

“Google is aware that an exploit for CVE-2026-3909 [and] CVE-2026-3910 exists in the wild.”

— Google statement reported via Bitdefender HotForSecurity

“There are indications that CVE-2026-21385 may be under limited, targeted exploitation.”

— Android Security Bulletin via TechRadar

“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.”

— Google Android Security Bulletin via TechRadar

“Disabling [V8 optimizers] could have mitigated roughly half of such cases, with no significant performance hit on most sites.”

— Chrome Security documentation via BleepingComputer

What we know — and what we don’t

Chrome 146 patches for CVE-2026-3909 and CVE-2026-3910 are confirmed across desktop and Android platforms, with version numbers 146.0.7680.80 and 146.0.76380.119 respectively. The Android March bulletin patched 129 vulnerabilities including CVE-2026-21385 (7.8/10, Qualcomm, 235 chipsets affected). Safety Check instructions are verified from official Google documentation.

What remains less certain is how quickly the Chrome 146 Android patch will reach Samsung and other non-Pixel devices, given that Android fragmentation historically adds weeks to the rollout. Regional variations in OEM update scheduling — particularly for EU devices — are not publicly confirmed by manufacturers. Performance impact data for V8 optimizer disabling on specific device configurations is also not publicly available.

Chrome remains the world’s dominant browser, and Google’s security apparatus is substantial — but the gap between a patch release and your device actually running it is where exposure lives. For Android users, Advanced Protection in Android 16 offers the strongest built-in defense, but only if your device runs the latest OS version. For everyone else, Safety Check is the quickest way to know whether your current setup has unresolved gaps.

Related reading: What Is a Kafka Topic · People Data Labs vs Clearbit

Google’s 2026 zero-day emergency update arrived just before the April patches, fixing an actively exploited flaw that threatened billions of Chrome users worldwide.

Don't miss these

Frequently asked questions

Do I need antivirus for Chrome?

Chrome has built-in Safe Browsing and Safety Check, which cover most threats. Third-party antivirus adds a layer for malware that arrives through channels outside the browser — particularly relevant if you sideload apps on Android or use extensions from unverified sources.

Why does Apple warn not to use Google Chrome?

Apple has historically flagged that browsers on iOS are required to use WebKit (Apple’s rendering engine), meaning Chrome on iOS doesn’t run its own code and doesn’t benefit from Chrome-specific patches. However, Chrome on Android and desktop runs its own Chromium engine and receives full security updates.

Will uninstalling Chrome get rid of malware?

Uninstalling Chrome removes the browser and its saved data, but malware that has been installed as a standalone app or has modified system files will remain. Use Safety Check to identify compromised passwords, and run a full device scan with Play Protect or a third-party antivirus tool.

What are the signs your computer has been hacked?

Common indicators include unexpected browser redirects, new toolbars or extensions you didn’t install, a sudden slowdown in page loads, frequent crashes, changed homepage or search engine without your input, and alerts from Safe Browsing when visiting familiar sites. Safety Check flags compromised passwords as a first step.

How to scan Chrome for viruses and remove them permanently?

On Android, run Safety Check (Chrome > More > Settings > Safety check) and Play Protect (Google Play Store > Play Protect). On desktop, update Chrome to the latest version and run a scan with your system antivirus. Remove suspicious extensions by navigating to chrome://extensions and disabling anything unfamiliar.

What are the Chrome security settings I should enable?

Enable “Always use secure connections” to force HTTPS on supported sites, turn on “Warn if password compromised” under Password Manager, select a secure DNS provider in the Privacy settings, and ensure Safe Browsing is active. Under Advanced Protection (Android 16+), enable V8 security hardening to disable risky JavaScript optimizations.