Google Chrome Stable Channel Update Fixes 29 Vulnerabilities Including Critical WebML Heap Overflow
Google released Chrome 146 to the Stable channel for Windows, macOS, and Linux, addressing 29 security vulnerabilities in versions prior to 146.0.7680.71/72 (Windows/macOS) and 146.0.7680.71 (Linux). The most severe issue highlighted is CVE-2026-3913, a critical heap buffer overflow in WebML that could enable remote code execution when a user visits a maliciously crafted webpage; additional high-severity fixes include multiple memory-safety bugs such as use-after-free and out-of-bounds read conditions across browser components.
The Canadian Centre for Cyber Security issued advisory AV26-220 urging organizations to review Google’s guidance and apply the Chrome updates as they become available. A separate Canadian advisory, AV26-206, covers Microsoft Edge Stable updates for versions prior to 145.0.3800.97; while also Chromium-based, it is a distinct vendor release and should be tracked separately from the Chrome 146 patch cycle.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Google publishes follow-up Chrome advisory for newer stable versions
On March 12, 2026, Google published another Chrome stable channel security advisory covering versions prior to 146.0.7680.75/76 on Windows and Mac and prior to 146.0.7680.75 on Linux. Google said exploits for CVE-2026-3909 and CVE-2026-3910 exist in the wild, indicating active exploitation.
Google issues Chrome 146 stable update fixing 29 vulnerabilities
On March 10, 2026, Google released Chrome 146 to the stable channel for Windows, macOS, and Linux, addressing 29 security vulnerabilities in versions prior to 146.0.7680.71/72 on Windows and Mac and prior to 146.0.7680.71 on Linux. The fixes included critical CVE-2026-3913, a heap buffer overflow in WebML that could enable remote code execution via a malicious web page.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Google Chrome security advisory (AV26-235) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceChrome Security Update - Patch for 29 Vulnerabilities that Allows Remote Code Execution
cybersecuritynews.com
Open sourceGoogle Chrome security advisory (AV26-220) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Google Chrome Stable Channel Update Fixes Three High-Severity Vulnerabilities
Google released a **Chrome Stable Channel** security update for desktop, shipping **145.0.7632.116/117** for Windows and macOS and **144.0.7559.116** for Linux, and urged users to apply updates as they roll out. The Canadian Centre for Cyber Security echoed the guidance in advisory **AV26-159**, recommending administrators review Google’s bulletin and deploy the patched versions to address the disclosed vulnerabilities. Reporting on the release described an “emergency” update that fixes **three High-severity CVEs**, including multiple **out-of-bounds memory access** issues with potential exploitation impact (e.g., memory corruption that can contribute to remote code execution or exploit chains). The vulnerabilities highlighted include `CVE-2026-3061` (out-of-bounds read in Chrome’s **Media** component, reported by Luke Francis) and `CVE-2026-3062` (out-of-bounds read/write in **Tint** / WebGPU shader compiler, reported by Cinzinga), with the update recommended for rapid enterprise deployment due to the risk posed by unpatched browsers.
Mar 21, 2026
Google Chrome Update Fixes 79 Flaws, Including 14 Critical Bugs
Google released a Stable Channel update for Chrome Desktop that fixes **79 vulnerabilities**, including **14 critical flaws**, in version `148.0.7778.167/168` for Windows and Mac and `148.0.7778.167` for Linux. The most severe issues include heap buffer overflows, integer overflows, use-after-free bugs, a race condition, and insufficient validation of untrusted input in components such as **WebML, Skia, Blink, ANGLE, and Payments**. Google said it is restricting technical details and proof-of-concept information until more users are patched, citing the risk that browser bugs can be weaponized for arbitrary code execution, sandbox escape, data theft, and host compromise. Government and industry advisories urged organizations to update immediately, with the Canadian Centre for Cyber Security issuing notice **AV26-458** for versions prior to `148.0.7778.167/168` on Windows and Mac and prior to `148.0.7778.167` on Linux. The latest release follows an earlier Chrome advisory, **AV26-358**, that covered versions prior to `147.0.7727.101/102`, underscoring a continuing stream of browser security fixes. Google also disclosed bug bounty awards tied to the new patch set, including **$43,000** for `CVE-2026-8509` in WebML and **$25,000** for `CVE-2026-8510` in Skia.
May 21, 2026
Chrome Desktop Update Fixes 28 Flaws Including Critical Memory Corruption Bugs
Google released a Stable Channel update for Chrome Desktop, upgrading Windows and Mac to **149.0.7827.114/.115** and Linux to **149.0.7827.114**, to address **28 security vulnerabilities** across components including Core, DigitalCredentials, Accessibility, GPU, WebMIDI, Network, DevTools, Extensions, Video, and Views. The release includes **five critical flaws**, notably multiple use-after-free bugs, a heap buffer overflow in GPU, and insufficient validation of untrusted input in Accessibility; Google said technical details will remain restricted until most users are patched or dependent third-party fixes are available. Published CVE records tied to the release highlight several high-severity issues: **`CVE-2026-12013`**, a Chrome Media use-after-free on Windows that could be triggered through a crafted HTML page; **`CVE-2026-12014`**, a Cast use-after-free that could enable a sandbox escape from the local network segment via malicious network traffic; **`CVE-2026-12016`**, a DevTools flaw that could allow sandbox escape after renderer compromise; and **`CVE-2026-12018`**, a Mojo issue that could lead to OS-level privilege escalation on Windows through a malicious file. The Canadian Centre for Cyber Security urged users and administrators running versions prior to the patched builds to review Google’s advisory and apply updates as they become available.
Jun 12, 2026