Google Chrome Stable Channel Update Fixes Three High-Severity Vulnerabilities
Google released a Chrome Stable Channel security update for desktop, shipping 145.0.7632.116/117 for Windows and macOS and 144.0.7559.116 for Linux, and urged users to apply updates as they roll out. The Canadian Centre for Cyber Security echoed the guidance in advisory AV26-159, recommending administrators review Google’s bulletin and deploy the patched versions to address the disclosed vulnerabilities.
Reporting on the release described an “emergency” update that fixes three High-severity CVEs, including multiple out-of-bounds memory access issues with potential exploitation impact (e.g., memory corruption that can contribute to remote code execution or exploit chains). The vulnerabilities highlighted include CVE-2026-3061 (out-of-bounds read in Chrome’s Media component, reported by Luke Francis) and CVE-2026-3062 (out-of-bounds read/write in Tint / WebGPU shader compiler, reported by Cinzinga), with the update recommended for rapid enterprise deployment due to the risk posed by unpatched browsers.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Canadian Centre for Cyber Security issues advisory on Chrome update
On 2026-02-24, the Canadian Centre for Cyber Security published advisory AV26-159 referencing Google's February 23 security update. It urged users and administrators to review Google's advisory and apply the necessary Chrome updates.
Google withholds detailed bug information pending patch adoption
Alongside the 2026-02-23 release, Google said technical details for the three vulnerabilities would remain restricted until most users had updated or related third-party dependencies were patched. The company also indicated there was no public statement of active in-the-wild exploitation at the time of reporting.
Google releases Chrome Stable update fixing three high-severity flaws
On 2026-02-23, Google published a Stable Channel update for Chrome Desktop, rolling out version 145.0.7632.116/117 for Windows and macOS and 145.0.7632.116 for Linux. The release patched three high-severity vulnerabilities: CVE-2026-3061 in Media, CVE-2026-3062 in Tint/WebGPU, and CVE-2026-3063 in DevTools.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Google has fixed triple high severity flaws in Chrome - TheCyberThrone
thecyberthrone.in
Open sourceGoogle Alerts Users to Serious Chrome Bugs With Takeover Risk
techrepublic.com
Open sourceGoogle Chrome security advisory (AV26-159) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceGoogle Chrome Emergency Security Update Patches Three High-Severity Vulnerabilities
cybersecuritynews.com
Open sourceChrome Releases: Stable Channel Update for Desktop
chromereleases.googleblog.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Google Chrome Emergency Update Patches Multiple Critical Vulnerabilities
Google released an emergency update for *Chrome for Desktop* to **Stable channel 145.0.7632.159/160 (Windows/macOS)** and **145.0.7632.159 (Linux)**, addressing **10 security vulnerabilities**, including **three Critical** issues. Reported flaws include `CVE-2026-3536` (integer overflow in **ANGLE**), `CVE-2026-3537` (object lifecycle issue in **PowerVR**), and `CVE-2026-3538` (integer overflow in **Skia**); additional **High-severity** bugs span components such as **V8**, **WebAssembly**, **CSS**, **DevTools**, and media-related subsystems. Google limited detailed disclosure until patch adoption increases and urged users to update promptly; reported bug bounty awards for individual findings reached **up to $33,000**. The Canadian Centre for Cyber Security echoed Google’s advisory, recommending organizations apply the Chrome updates when available to remediate the affected versions. Separate Canadian Centre advisories also covered unrelated patch guidance for **Drupal contributed modules** (including a **critical access bypass** in *AJAX Dashboard* and moderate issues such as XSS in other modules) and a **Tenable Nessus Manager** vulnerability fixed in versions **10.10.3** and **10.11.3**; these items are distinct from the Chrome emergency update and should be tracked independently in vulnerability management workflows.
Mar 21, 2026
Google Chrome Stable Channel Update Fixes 29 Vulnerabilities Including Critical WebML Heap Overflow
Google released **Chrome 146** to the Stable channel for Windows, macOS, and Linux, addressing **29 security vulnerabilities** in versions prior to `146.0.7680.71/72` (Windows/macOS) and `146.0.7680.71` (Linux). The most severe issue highlighted is **CVE-2026-3913**, a **critical heap buffer overflow in WebML** that could enable **remote code execution** when a user visits a maliciously crafted webpage; additional high-severity fixes include multiple memory-safety bugs such as **use-after-free** and **out-of-bounds read** conditions across browser components. The Canadian Centre for Cyber Security issued advisory **AV26-220** urging organizations to review Google’s guidance and apply the Chrome updates as they become available. A separate Canadian advisory, **AV26-206**, covers **Microsoft Edge** Stable updates for versions prior to `145.0.3800.97`; while also Chromium-based, it is a distinct vendor release and should be tracked separately from the Chrome 146 patch cycle.
Mar 21, 2026
Chrome Desktop Update Fixes 28 Flaws Including Critical Memory Corruption Bugs
Google released a Stable Channel update for Chrome Desktop, upgrading Windows and Mac to **149.0.7827.114/.115** and Linux to **149.0.7827.114**, to address **28 security vulnerabilities** across components including Core, DigitalCredentials, Accessibility, GPU, WebMIDI, Network, DevTools, Extensions, Video, and Views. The release includes **five critical flaws**, notably multiple use-after-free bugs, a heap buffer overflow in GPU, and insufficient validation of untrusted input in Accessibility; Google said technical details will remain restricted until most users are patched or dependent third-party fixes are available. Published CVE records tied to the release highlight several high-severity issues: **`CVE-2026-12013`**, a Chrome Media use-after-free on Windows that could be triggered through a crafted HTML page; **`CVE-2026-12014`**, a Cast use-after-free that could enable a sandbox escape from the local network segment via malicious network traffic; **`CVE-2026-12016`**, a DevTools flaw that could allow sandbox escape after renderer compromise; and **`CVE-2026-12018`**, a Mojo issue that could lead to OS-level privilege escalation on Windows through a malicious file. The Canadian Centre for Cyber Security urged users and administrators running versions prior to the patched builds to review Google’s advisory and apply updates as they become available.
Jun 12, 2026