174/69 Thursday, March 26, 2026
Google has released Chrome 146 to address eight high-severity vulnerabilities, primarily related to memory safety issues affecting seven different components of the browser. The most notable flaw, CVE-2026-4673, is a heap buffer overflow in WebAudio, for which the researcher received a $7,000 bug bounty reward. Another issue, CVE-2026-4677, involves an out-of-bounds read in WebAudio, with the reward amount still under evaluation.
The update also includes fixes for several additional vulnerabilities: an out-of-bounds read in CSS (CVE-2026-4674), a heap buffer overflow in WebGL (CVE-2026-4675), and multiple use-after-free vulnerabilities affecting components such as Dawn, WebGPU, and FedCM (CVE-2026-4676, CVE-2026-4678, and CVE-2026-4680). Additionally, an integer overflow issue in Fonts (CVE-2026-4679) has been addressed. Users are advised to update their browsers to version 146.0.7680.164/165 for Windows and macOS, or 146.0.7680.164 for Linux.
Google strongly recommends that users apply the update immediately, as Chrome vulnerabilities are frequently targeted by attackers. Notably, just two weeks earlier, Google issued an emergency update to patch two zero-day vulnerabilities (CVE-2026-3909 and CVE-2026-3910), which were discovered shortly after Chrome 146 was released. While technical details of these zero-days were not disclosed, Google noted that vulnerabilities identified internally are often targeted by commercial spyware vendors, highlighting the urgency of timely patching.
Source https://www.securityweek.com/chrome-146-update-patches-high-severity-vulnerabilities/