Critical Vulnerabilities This Week: Chrome, Citrix NetScaler & TrueConf — What Texas Businesses Need to Patch Now

Every Monday morning I sit down with a cup of coffee and run through the latest additions to the CISA Known Exploited Vulnerabilities (KEV) catalog. It is the single best source of truth for "what should I actually be worried about this week" — not theoretical risks, not bug bounty curiosities, but real vulnerabilities being weaponized against real businesses right now.

This week, three entries jumped out at me as directly relevant to the small and medium businesses I serve here in Texas. Each one is a textbook example of why patching is not a "we will get to it next quarter" activity. Here is what you need to know.

1. CVE-2026-5281 — Google Chrome Dawn WebGPU Use-After-Free

CISA KEV added: April 1, 2026 · Federal patch deadline: April 15, 2026 · Severity: Critical

Chrome has a use-after-free vulnerability in its Dawn WebGPU implementation. In plain English: Chrome's graphics engine has a memory-management bug that a malicious website can exploit to execute arbitrary code on your computer. No click. No download. Just visit the wrong site.

Why it matters for Texas small businesses: Chrome is probably the most-used browser on every workstation in your office. If an attacker compromises this flaw, they bypass Chrome's sandbox and run code at the system level — which means full access to whatever that user can access. Email, files, saved passwords, VPN sessions, everything.

How to remediate:

• Update Chrome to the latest stable version immediately. Go to chrome://settings/help on every workstation — Chrome will auto-update if it is out of date, then require a restart.
• If you use Microsoft Edge, Brave, Opera, or any other Chromium-based browser, they use the same rendering engine and need the same patch. Update those too.
• For managed fleets, push the update via your RMM tool or Microsoft Intune. If you are a BVTech managed IT client, I have already pushed this patch across your fleet — you do not need to do anything.

2. CVE-2026-3055 — Citrix NetScaler ADC / Gateway Out-of-Bounds Read

CISA KEV added: March 30, 2026 · Federal patch deadline: April 2, 2026 · Severity: Critical

Citrix NetScaler ADC and NetScaler Gateway contain an out-of-bounds read vulnerability when the product is configured as a SAML identity provider. An attacker can trick the device into reading memory it should not, potentially leaking session tokens, user credentials, or other sensitive data.

This one is particularly nasty because NetScaler is often the front door to a business network — it handles VPN access, single sign-on, and remote workforce authentication. A compromised NetScaler is a compromised perimeter. And because this vulnerability is already being exploited, the federal patch deadline was the shortest possible window: two days.

How to remediate:

• If you run Citrix NetScaler ADC, NetScaler Gateway, or NetScaler ADC FIPS / NDcPP, follow the official Citrix security bulletin immediately. Apply the vendor patches or mitigations.
• Review your SAML IDP configuration and audit any session logs for anomalous activity over the last 30 days.
• Rotate SAML signing keys and any secrets that might have been exposed during the exploitation window.
• If you are not sure whether you run NetScaler or how it is configured, call BVTech at (210) 538-3669. I will help you figure it out — free of charge — whether or not you are a current client.

3. TrueConf Client — Download of Code Without Integrity Check

CISA KEV added: April 2, 2026 · Severity: High

TrueConf Client, a video conferencing platform used by some Texas healthcare practices and government offices, downloads update code without verifying its integrity. An attacker who can influence the update delivery path — typically through a man-in-the-middle attack or a compromised network — can substitute a tampered update payload. When TrueConf installs it, the attacker gets arbitrary code execution.

This is a classic supply-chain style attack. You are not exploited by a phishing email or a malicious link. You are exploited because your video conferencing app trusted an update that should not have been trusted.

How to remediate:

• Apply the TrueConf vendor mitigation from the official advisory at trueconf.com/blog/update.
• If your organization does not actively use TrueConf, uninstall it from every device. Unused software is risk without reward.
• For video conferencing, I recommend my Texas clients use Microsoft Teams or Zoom — both have mature code-signing and integrity-checking for their update mechanisms.

The Bigger Picture: Why This Matters for Texas SMBs

None of these three vulnerabilities is exotic. None requires a nation-state adversary or a zero-day research budget. They are all in software that Texas small and medium businesses use every single day — Chrome on every laptop, Citrix at the perimeter, TrueConf for a video call. And all three are being actively exploited right now.

Here is the hard truth I tell every new BVTech client: the difference between the businesses that get breached and the businesses that do not is almost never the sophistication of their security stack. It is the speed of their patching.

Large enterprises have teams dedicated to this. They have change management boards, patch Tuesday calendars, and maintenance windows. Small businesses usually do not. That is why an MSP like BVTech exists — to give your 5-person or 50-person company the same patching discipline that a Fortune 500 takes for granted, without the Fortune 500 price tag.

Need Help With This Week's Patches?

If you are a Texas small or medium business and any of these three vulnerabilities affects your environment, I am happy to help — whether or not you are a current BVTech client. Call me directly at (210) 538-3669 or email [email protected]. No sales pitch, just straight guidance on how to remediate and how to reduce your exposure next time.

Stay safe out there, Texas.

— Jordan Polasek is the Founder and Managing Partner of BVTech LLC, a Texas-based managed IT services provider. He holds a 4.0 GPA in Cloud Computing, AWS and 1Password certifications, and won the SuperOps Solo MSP of the Year Award in 2023. Connect with Jordan on LinkedIn or at jordanpolasek.com.