The stable channel has been updated to 48.0.2564.109 for Windows, Mac, and Linux.

Security Fixes and Rewards


Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 6 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chromium security page for more information.

[$7500][546677] High CVE-2016-1622: Same-origin bypass in Extensions. Credit to anonymous.
[$7500][577105] High CVE-2016-1623: Same-origin bypass in DOM. Credit to Mariusz Mlynski.
[$TBD][583607] High CVE-2016-1624: Buffer overflow in Brotli. Credit to Luke Li and Jonathan Metzman.
[$1000][509313] Medium CVE-2016-1625: Navigation bypass in Chrome Instant. Credit to Jann Horn.
[571480] Medium CVE-2016-1626: Out-of-bounds read in PDFium. Credit to anonymous, working with HP's Zero Day Initiative.
[571479] Medium CVE-2016-1628: Out-of-bounds read in PDFium. Credit to anonymous, working with HP's Zero Day Initiative.

As usual, our ongoing internal security work:
  • [585517] CVE-2016-1627: Various fixes from internal audits, fuzzing and other initiatives.

Many of our security bugs are detected using AddressSanitizer, MemorySanitizer or Control Flow Integrity.

A list of changes is available in the log. Interested in switching release channels? Find out how. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.


Krishna Govind
Google Chrome