Google Chrome Emergency Update Patches Multiple Critical Vulnerabilities
Google released an emergency update for Chrome for Desktop to Stable channel 145.0.7632.159/160 (Windows/macOS) and 145.0.7632.159 (Linux), addressing 10 security vulnerabilities, including three Critical issues. Reported flaws include CVE-2026-3536 (integer overflow in ANGLE), CVE-2026-3537 (object lifecycle issue in PowerVR), and CVE-2026-3538 (integer overflow in Skia); additional High-severity bugs span components such as V8, WebAssembly, CSS, DevTools, and media-related subsystems. Google limited detailed disclosure until patch adoption increases and urged users to update promptly; reported bug bounty awards for individual findings reached up to $33,000.
The Canadian Centre for Cyber Security echoed Google’s advisory, recommending organizations apply the Chrome updates when available to remediate the affected versions. Separate Canadian Centre advisories also covered unrelated patch guidance for Drupal contributed modules (including a critical access bypass in AJAX Dashboard and moderate issues such as XSS in other modules) and a Tenable Nessus Manager vulnerability fixed in versions 10.10.3 and 10.11.3; these items are distinct from the Chrome emergency update and should be tracked independently in vulnerability management workflows.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Debian releases DSA 6157-1 chromium security update
Debian published security advisory DSA 6157-1 for chromium, indicating a downstream security update in response to the Chrome/Chromium vulnerabilities. The notice was issued through the Debian security announce list.
Canadian Centre for Cyber Security issues Chrome update notice
The Canadian Centre for Cyber Security published advisory AV26-194, alerting users and administrators to Google's Chrome security update and recommending they review the vendor advisory and apply updates when available.
Google publishes Chrome Stable Channel security advisory
Google published a security advisory for Chrome for Desktop covering versions prior to 145.0.7632.159/160 on Windows and macOS and prior to 145.0.7632.159 on Linux. The advisory addressed 10 vulnerabilities, including three rated Critical, and Google said it had not observed active exploitation.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
[SECURITY] [DSA 6157-1] chromium security update
lists.debian.org
Open sourceGoogle Releases Emergency Chrome Update to Fix 10 Security Vulnerabilities
cybersecuritynews.com
Open sourceGoogle Chrome security advisory (AV26-194) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Google Chrome Stable Channel Update Fixes Three High-Severity Vulnerabilities
Google released a **Chrome Stable Channel** security update for desktop, shipping **145.0.7632.116/117** for Windows and macOS and **144.0.7559.116** for Linux, and urged users to apply updates as they roll out. The Canadian Centre for Cyber Security echoed the guidance in advisory **AV26-159**, recommending administrators review Google’s bulletin and deploy the patched versions to address the disclosed vulnerabilities. Reporting on the release described an “emergency” update that fixes **three High-severity CVEs**, including multiple **out-of-bounds memory access** issues with potential exploitation impact (e.g., memory corruption that can contribute to remote code execution or exploit chains). The vulnerabilities highlighted include `CVE-2026-3061` (out-of-bounds read in Chrome’s **Media** component, reported by Luke Francis) and `CVE-2026-3062` (out-of-bounds read/write in **Tint** / WebGPU shader compiler, reported by Cinzinga), with the update recommended for rapid enterprise deployment due to the risk posed by unpatched browsers.
Mar 21, 2026
Google Chrome Zero-Day CVE-2026-2441 Exploited in the Wild
Google released an urgent *Chrome for Desktop* Stable Channel update to address **CVE-2026-2441**, a high-severity zero-day that Google said has an exploit **active in the wild**. The issue is a **use-after-free in Chrome’s CSS component**, a memory-corruption flaw that can enable code execution in the browser context when a user visits a malicious or compromised webpage; the vulnerability was reported to Google by researcher **Shaheen Fazim**. The Canadian Centre for Cyber Security echoed the need to patch Chrome, advising organizations to update beyond affected Stable Channel versions (Windows/Mac prior to `145.0.7632.68` and Linux prior to `144.0.7559.67`), while third-party reporting indicated patched Stable builds rolling out to `145.0.7632.75/.76` (Windows/Mac) and `144.0.7559.75` (Linux). Other Canadian Centre advisories published in the same period covered unrelated vendor patches for **Tenable Nessus Agent** (CVE-2026-2026), **Juniper Secure Analytics (JSA)**, **HPE SimpliVity** (Intel firmware advisories), and **PostgreSQL** point releases; these are separate remediation items and not part of the Chrome zero-day event.
Mar 21, 2026
Google Chrome 142 Emergency Update Addresses Multiple High-Risk RCE Vulnerabilities
Google released an emergency update for its Chrome browser, version 142, to patch five security vulnerabilities, including three high-severity flaws that could allow remote code execution (RCE) on Windows, macOS, Linux, and Android platforms. The most critical vulnerability, CVE-2025-12725, is an out-of-bounds write in the WebGPU graphics interface, which could enable attackers to execute arbitrary code by corrupting system memory. Two additional high-severity vulnerabilities, CVE-2025-12726 in the Views component and CVE-2025-12727 in the V8 JavaScript engine, were also addressed, both posing significant risk for memory manipulation and potential code execution. Google has limited the release of technical details to prevent exploitation before users apply the update, but internal assessments rate the vulnerabilities with a CVSS 3.1 score of 8.8, indicating a direct and serious risk. The update is being distributed across all major desktop and mobile platforms, and users are strongly advised to update Chrome promptly to mitigate the risk of exploitation. Two medium-severity issues in the Omnibox were also fixed in this release.
Mar 21, 2026