April Browser Security: Chrome Extensions & Patch Tuesday Zero-Days

Microsoft Addresses 168 Vulnerabilities, Including 6 Zero-Days in April 2026 Patch Tuesday

• Microsoft's April 2026 Patch Tuesday addressed 168 security vulnerabilities across its product line, marking one of the largest update cycles in recent history.
• The updates included fixes for six zero-day vulnerabilities, with one notable flaw (CVE-2026-21510, Windows Shell Security Feature Bypass) confirmed as actively exploited.
• While not explicitly listed as an Edge patch, CVE-2026-21510 could impact browser interactions with the operating system, making it relevant for browser security context.

Source: KrebsOnSecurity | Date: April 14, 2026

AI-Driven "Pushpaganda" Scam Exploits Google Discover to Spread Scareware

• An AI-driven scam, dubbed "Pushpaganda," is actively exploiting Google Discover to disseminate scareware and engage in ad fraud.
• The campaign leverages artificial intelligence to create highly convincing, deceptive content that tricks users into installing malicious software.
• Users accessing Google Discover via browsers or Google applications are targeted, highlighting a novel vector for spreading unwanted software through legitimate content feeds.

Source: The Hacker News | Date: April 25, 2026

Over 100 Malicious Chrome Extensions Steal Google and Telegram Data

• Security researchers identified 108 malicious Chrome extensions actively stealing sensitive user data, including Google account credentials and Telegram information.
• These extensions collectively affected approximately 20,000 users who unknowingly installed them from the Chrome Web Store.
• The attack highlights the persistent threat of supply chain compromise within browser extension ecosystems, urging users to scrutinize permissions and sources.

Source: The Hacker News | Date: April 24, 2026

CISA Adds Browser-Relevant Microsoft and Adobe Flaws to Known Exploited Vulnerabilities Catalog

• CISA updated its Known Exploited Vulnerabilities (KEV) catalog, adding six flaws, including those affecting Adobe Acrobat and Reader, and Microsoft Windows.
• Specifically, CVE-2026-28825 and CVE-2026-28826 for Adobe Acrobat and Reader are critical as they can be exploited through web-delivered PDF files, directly impacting browser security.
• Also included is CVE-2026-21510, a Windows Shell Security Feature Bypass vulnerability, which can be leveraged in drive-by download scenarios affecting web browsers.

Source: The Hacker News | Date: April 16, 2026

Google Chrome Introduces "Skills" Feature for One-Click AI Prompt Tools

• Google has launched a new "Skills" feature in Chrome, allowing users to transform their best AI prompts into one-click tools accessible directly within the browser.
• This initiative aims to streamline user interaction with AI services by embedding AI capabilities deeper into the Chrome browsing experience.
• While enhancing productivity, this feature introduces new considerations for prompt security and potential manipulation vectors, which users and developers should be mindful of.

Source: Google Blog | Date: April 16, 2026

Microsoft's April 2026 Patch Tuesday Addresses 168 Bugs, Including 7 Edge Browser Patches

• Microsoft's substantial April 2026 Patch Tuesday fixed 168 vulnerabilities across its product portfolio, with six actively exploited zero-days.
• The Edge browser received specific attention, with seven distinct patches rolled out to enhance its security posture.
• Users are urged to update their systems promptly to mitigate risks associated with these widespread vulnerabilities, particularly those under active exploitation.

Source: The Register | Date: April 14, 2026

Zero Day Initiative Provides In-Depth Analysis of April 2026 Microsoft Security Updates

• The Zero Day Initiative (ZDI) review of April 2026 Patch Tuesday highlighted critical vulnerabilities, including those affecting Microsoft Edge and the Windows Shell.
• The report provided technical insights into CVE-2026-21510, a Windows Shell security feature bypass, which poses a risk for browser-initiated actions and file handling.
• Several browser-related components received fixes, underscoring the continuous efforts to secure the web browsing environment against evolving threats.

Source: The Zero Day Initiative | Date: April 14, 2026

Microsoft April 2026 Patch Tuesday Fixes 168 Vulnerabilities, Including Actively Exploited Zero-Day

• Microsoft released a comprehensive security update for April 2026, patching 168 vulnerabilities, among them a critical actively exploited zero-day flaw.
• The zero-day, identified as CVE-2026-21510 (Windows Shell Security Feature Bypass), could allow attackers to bypass security features, impacting user interactions, including those initiated via web browsers.
• This Patch Tuesday included fixes across various products, emphasizing the ongoing need for timely application of updates to protect systems from known threats.

Source: Cybersecurity News | Date: April 14, 2026

0patch Releases Micropatches for Actively Exploited Windows Shell Vulnerability CVE-2026-21510

• 0patch has issued micropatches for CVE-2026-21510, a Windows Shell Security Feature Bypass vulnerability, which is under active exploitation.
• These micropatches provide immediate protection for systems that cannot apply official Microsoft updates promptly, closing a gap often exploited in browser-driven attack chains.
• The vulnerability's active exploitation status underscores the urgency for all users, including those relying on browser-based interactions, to secure their systems against this threat.

Source: 0patch Blog | Date: April 16, 2026

CISA Adds Seven New Exploits to KEV Catalog, Including Critical Adobe and Microsoft Flaws

• CISA expanded its Known Exploited Vulnerabilities (KEV) catalog with seven new entries, advising federal agencies to patch these flaws immediately.
• The additions include critical vulnerabilities in Adobe Acrobat and Reader (CVE-2026-28825, CVE-2026-28826) and a Microsoft Windows Shell flaw (CVE-2026-21510).
• These vulnerabilities, particularly those affecting PDF readers and Windows Shell, can be leveraged through web-based attacks and compromise browser security contexts.

Source: SecurityOnline | Date: April 16, 2026

NCSC Warns of Widespread Exploitation Risk for Critical Adobe Acrobat Vulnerability

• The Dutch National Cyber Security Centre (NCSC) has issued a warning regarding a critical Adobe Acrobat vulnerability, anticipating widespread exploitation.
• This flaw, likely CVE-2026-28825 or CVE-2026-28826, affects how Adobe Acrobat and Reader process files, making it a significant risk for users opening malicious PDFs, often through web browsers.
• Organizations and individuals are strongly advised to apply available patches to Adobe products to prevent potential compromises stemming from web-based PDF attacks.

Source: Security.nl | Date: April 14, 2026

U.S. CISA Adds Critical Adobe, Microsoft Windows Flaws to Known Exploited Vulnerabilities Catalog

• The U.S. CISA has updated its KEV catalog, adding multiple actively exploited vulnerabilities, including critical flaws in Adobe Acrobat/Reader and Microsoft Windows.
• The Adobe vulnerabilities (CVE-2026-28825 and CVE-2026-28826) are highly relevant to browser security, as they can lead to arbitrary code execution when processing malicious PDF files via web browsers.
• CISA also included the Microsoft Windows Shell Security Feature Bypass (CVE-2026-21510), which presents a risk to browser-mediated file handling and execution, emphasizing immediate patching.

Source: Security Affairs | Date: April 16, 2026

References

1. Patch Tuesday, April 2026 Edition - KrebsOnSecurity
2. AI-Driven Pushpaganda Scam Exploits Google Discover to Spread Scareware and Ad Fraud - The Hacker News
3. 108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users - The Hacker News
4. CISA Adds 6 Known Exploited Flaws in Fortinet, Microsoft, and Adobe Software - The Hacker News
5. Turn your best AI prompts into one-click tools in Chrome - Google Blog
6. Microsoft's massive Patch Tuesday: It's raining bugs - The Register
7. The April 2026 Security Update Review - The Zero Day Initiative
8. Microsoft Patch Tuesday April 2026 – 168 Vulnerabilities Fixed, Including Actively Exploited 0-day - Cybersecurity News
9. Micropatches released for Windows Shell Security Feature Bypass Vulnerability (CVE-2026-21510) - 0patch Blog
10. CISA Adds 7 Fresh Exploits to KEV Catalog - SecurityOnline
11. NCSC verwacht grootschalig misbruik van kritiek Adobe Acrobat-lek - Security.nl
12. U.S. CISA adds Adobe, Fortinet, Microsoft Exchange Server, and Microsoft Windows flaws to its Known Exploited Vulnerabilities catalog - Security Affairs
13. CVE-2026-21510 - NVD
14. CVE-2026-28825 - NVD
15. CVE-2026-28826 - NVD