Malware & Threats

Chrome 127 Improves Cookie Protection on Windows

Google has improved the security of cookies in Chrome on Windows and rolled out a Chrome 127 update to address critical- and high-severity vulnerabilities.

Google has improved the security of cookies in Chrome on Windows and rolled out a Chrome 127 update to address critical- and high-severity vulnerabilities.

Google on Tuesday announced improved cookie protections in Chrome on Windows and rolled out a Chrome 127 security update to resolve three vulnerabilities reported by external researchers.

The most severe of the resolved security defects is CVE-2024-6990, a critical-severity uninitialized use issue in Dawn, the open source implementation of the WebGPU standard, Google’s advisory reads.

The remaining two flaws are high-severity bugs: an out-of-bounds read in WebTransport (CVE-2024-7255), and insufficient data validation in Dawn (CVE-2024-7256).

Google says it has yet to determine the bug bounty amounts to be paid to the reporting researchers. The latest Chrome iteration is now rolling out as versions 127.0.6533.88/89 for Windows and macOS, and as version 127.0.6533.88 for Linux.

Google makes no mention of any of these vulnerabilities being exploited in the wild but users are advised to update their browsers as soon as possible.

After announcing last week that it will keep third-party cookies in Chrome, the internet giant has introduced a new protection in Chrome 127 on Windows to prevent information stealers and other malicious applications from accessing browser cookies.

Advertisement. Scroll to continue reading.

Following the introduction of Device Bound Session Credentials (DBSC) in April to prevent cookie theft by binding browser authentication sessions to the device, Google is now adding Application-Bound (App-Bound) Encryption primitives to improve the Data Protection API (DPAPI) used on Windows for cookie protection.

“Rather than allowing any app running as the logged in user to access this data, Chrome can now encrypt data tied to app identity,” the internet giant explains.

While Chrome 127 migrates cookies to this new system, future browser releases will expand the protection to passwords, authentication tokens, and payment data, to better protect users’ secrets from infostealers.

“App-Bound Encryption relies on a privileged service to verify the identity of the requesting application. During encryption, the App-Bound Encryption service encodes the app’s identity into the encrypted data, and then verifies this is valid when decryption is attempted. If another app on the system tries to decrypt the same data, it will fail,” the company explains.

The App-Bound service runs with system privileges, which means that simply installing a malicious application will not be enough to steal the secrets. Instead, the malware needs system privileges or to inject code into Chrome, making it susceptible to antivirus detection.

The protection, which works in tandem with providing event logs for cookie decryption, is particularly efficient in enterprise environments where users are not allowed to run files with administrator privileges, meaning that malware cannot request elevated privileges.

However, because App-Bound Encryption binds the encryption key to the machine, it will not work if Chrome profiles roam between multiple systems, Google explains.

“App-Bound Encryption increases the cost of data theft to attackers and also makes their actions far noisier on the system. It helps defenders draw a clear line in the sand for what is acceptable behavior for other apps on the system,” Google notes.

Related: Google Boosts Chrome Protections Against Malicious Files

Related: Chrome 127 Patches 24 Vulnerabilities

Related: Google Unveils New Chrome Enterprise Core Features for IT, Security Teams

Related Content

Vulnerabilities

The security refresh resolves 13 use-after-free bugs, including two critical-severity flaws found by Google.

Vulnerabilities

Fifteen of the newly patched flaws have been rated ‘critical’ and 67 have been rated ‘high severity’.

Vulnerabilities

More than half of the bugs are use-after-free defects, which can potentially lead to remote code execution.

Vulnerabilities

The browser updates address multiple memory safety bugs that could potentially lead to remote code execution.

Vulnerabilities

The browser refresh resolved critical and high-severity security defects, including a dozen use-after-free bugs.

Vulnerabilities

The vulnerability is tracked as CVE-2026-11645 and it was reported in late April by an anonymous researcher.

Vulnerabilities

Over 100 bugs are critical or high-severity, mainly use-after-free and insufficient validation of untrusted input flaws.

Vulnerabilities

The browser update resolves critical-severity security defects that could potentially lead to remote code execution.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version