Palo Alto Networks Security Advisories / PAN-SA-2026-0004

PAN-SA-2026-0004 Chromium: Monthly Vulnerability Update (April 2026)

Urgency MODERATE

047910
Severity 6.1 · MEDIUM
Exploit Maturity UNREPORTED
Response Effort LOW
Recovery USER
Value Density DIFFUSE
Attack Vector NETWORK
Attack Complexity LOW
Attack Requirements NONE
Automatable NO
User Interaction ACTIVE
Product Confidentiality HIGH
Product Integrity HIGH
Product Availability HIGH
Privileges Required NONE
Subsequent Confidentiality NONE
Subsequent Integrity NONE
Subsequent Availability NONE
JSON CSAF
Published 2026-04-08
Updated 2026-04-08
Discovered externally

Description

Palo Alto Networks incorporated the following Chromium security fixes into our products:

CVESummary
CVE-2026-2648Heap buffer overflow in PDFium
CVE-2026-2649Integer overflow in V8
CVE-2026-2650Heap buffer overflow in Media
CVE-2026-3061Out of bounds read in Media
CVE-2026-3062Out of bounds read and write in Tint
CVE-2026-3063Inappropriate implementation in DevTools
CVE-2026-3536Integer overflow in ANGLE
CVE-2026-3537Object lifecycle issue in PowerVR
CVE-2026-3538Integer overflow in Skia
CVE-2026-3539Object lifecycle issue in DevTools
CVE-2026-3540Inappropriate implementation in WebAudio
CVE-2026-3541Inappropriate implementation in CSS
CVE-2026-3542Inappropriate implementation in WebAssembly
CVE-2026-3543Inappropriate implementation in V8
CVE-2026-3544Heap buffer overflow in WebCodecs
CVE-2026-3545Insufficient data validation in Navigation
CVE-2026-3909Out of bounds write in Skia
CVE-2026-3910Inappropriate implementation in V8
CVE-2026-3926Out of bounds read in V8
CVE-2026-3927Incorrect security UI in PictureInPicture
CVE-2026-3935Incorrect security UI in WebAppInstalls
CVE-2026-3936Use after free in WebView
CVE-2026-3940Insufficient policy enforcement in DevTools
CVE-2026-4464Integer overflow in ANGLE
CVE-2026-4679Integer overflow in Fonts
CVE-2026-4680Use after free in FedCM
CVE-2026-5281Use after free in Dawn
CVE-2026-5284Use after free in Dawn
CVE-2026-5287Use after free in PDF
CVE-2026-5291Inappropriate implementation in WebGL
CVE-2026-5292Out of bounds read in WebCodecs

Product Status

VersionsAffectedUnaffected
Prisma Browser< 145.16.12.110>= 146.3.8.76

Required Configuration for Exposure

No special configuration is required to be affected by this issue.

Severity: MEDIUM, Suggested Urgency: MODERATE

CVSS-BT: 6.1 / CVSS-B: 8.6 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/AU:N/R:U/V:D/RE:L/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Solution

CVEPrisma Browser
CVE-2026-2648
145.16.12.110
CVE-2026-2649
145.16.12.110
CVE-2026-2650
145.16.12.110
CVE-2026-3061
145.24.7.116
CVE-2026-3062
145.24.7.116
CVE-2026-3063
145.24.7.116
CVE-2026-3536
145.30.9.160
CVE-2026-3537
145.30.9.160
CVE-2026-3538
145.30.9.160
CVE-2026-3539
145.30.9.160
CVE-2026-3540
145.30.9.160
CVE-2026-3541
145.30.9.160
CVE-2026-3542
145.30.9.160
CVE-2026-3543
145.30.9.160
CVE-2026-3544
145.30.9.160
CVE-2026-3545
145.30.9.160
CVE-2026-3926
146.3.7.72
CVE-2026-3927
146.3.7.72
CVE-2026-3935
146.3.7.72
CVE-2026-3936
146.3.7.72
CVE-2026-3940
146.3.7.72
CVE-2026-3909
146.3.8.76
CVE-2026-3910
146.3.8.76
CVE-2026-4464
146.10.7.154
CVE-2026-4679
146.16.6.165
CVE-2026-4680
146.16.6.165
CVE-2026-5281
146.16.9.178
CVE-2026-5284
146.16.9.178
CVE-2026-5287
146.16.9.178
CVE-2026-5291
146.16.9.178
CVE-2026-5292
146.16.9.178

Workarounds and Mitigations

No known workarounds exist for this issue.

CPE Applicability

Timeline

Initial Publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure PolicyReport vulnerabilitiesManage subscriptions
© 2026 Palo Alto Networks, Inc. All rights reserved.