Google Chrome Stable Channel Update Fixes 29 Vulnerabilities Including Critical WebML Heap Overflow
Google released Chrome 146 to the Stable channel for Windows, macOS, and Linux, addressing 29 security vulnerabilities in versions prior to 146.0.7680.71/72 (Windows/macOS) and 146.0.7680.71 (Linux). The most severe issue highlighted is CVE-2026-3913, a critical heap buffer overflow in WebML that could enable remote code execution when a user visits a maliciously crafted webpage; additional high-severity fixes include multiple memory-safety bugs such as use-after-free and out-of-bounds read conditions across browser components.
The Canadian Centre for Cyber Security issued advisory AV26-220 urging organizations to review Google’s guidance and apply the Chrome updates as they become available. A separate Canadian advisory, AV26-206, covers Microsoft Edge Stable updates for versions prior to 145.0.3800.97; while also Chromium-based, it is a distinct vendor release and should be tracked separately from the Chrome 146 patch cycle.
Timeline
Mar 12, 2026
Google publishes follow-up Chrome advisory for newer stable versions
On March 12, 2026, Google published another Chrome stable channel security advisory covering versions prior to 146.0.7680.75/76 on Windows and Mac and prior to 146.0.7680.75 on Linux. Google said exploits for CVE-2026-3909 and CVE-2026-3910 exist in the wild, indicating active exploitation.
Mar 10, 2026
Google issues Chrome 146 stable update fixing 29 vulnerabilities
On March 10, 2026, Google released Chrome 146 to the stable channel for Windows, macOS, and Linux, addressing 29 security vulnerabilities in versions prior to 146.0.7680.71/72 on Windows and Mac and prior to 146.0.7680.71 on Linux. The fixes included critical CVE-2026-3913, a heap buffer overflow in WebML that could enable remote code execution via a malicious web page.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
Google Chrome Stable Channel Update Fixes Three High-Severity Vulnerabilities
Google released a **Chrome Stable Channel** security update for desktop, shipping **145.0.7632.116/117** for Windows and macOS and **144.0.7559.116** for Linux, and urged users to apply updates as they roll out. The Canadian Centre for Cyber Security echoed the guidance in advisory **AV26-159**, recommending administrators review Google’s bulletin and deploy the patched versions to address the disclosed vulnerabilities. Reporting on the release described an “emergency” update that fixes **three High-severity CVEs**, including multiple **out-of-bounds memory access** issues with potential exploitation impact (e.g., memory corruption that can contribute to remote code execution or exploit chains). The vulnerabilities highlighted include `CVE-2026-3061` (out-of-bounds read in Chrome’s **Media** component, reported by Luke Francis) and `CVE-2026-3062` (out-of-bounds read/write in **Tint** / WebGPU shader compiler, reported by Cinzinga), with the update recommended for rapid enterprise deployment due to the risk posed by unpatched browsers.
1 months ago
Google Chrome Emergency Update Patches Multiple Critical Vulnerabilities
Google released an emergency update for *Chrome for Desktop* to **Stable channel 145.0.7632.159/160 (Windows/macOS)** and **145.0.7632.159 (Linux)**, addressing **10 security vulnerabilities**, including **three Critical** issues. Reported flaws include `CVE-2026-3536` (integer overflow in **ANGLE**), `CVE-2026-3537` (object lifecycle issue in **PowerVR**), and `CVE-2026-3538` (integer overflow in **Skia**); additional **High-severity** bugs span components such as **V8**, **WebAssembly**, **CSS**, **DevTools**, and media-related subsystems. Google limited detailed disclosure until patch adoption increases and urged users to update promptly; reported bug bounty awards for individual findings reached **up to $33,000**. The Canadian Centre for Cyber Security echoed Google’s advisory, recommending organizations apply the Chrome updates when available to remediate the affected versions. Separate Canadian Centre advisories also covered unrelated patch guidance for **Drupal contributed modules** (including a **critical access bypass** in *AJAX Dashboard* and moderate issues such as XSS in other modules) and a **Tenable Nessus Manager** vulnerability fixed in versions **10.10.3** and **10.11.3**; these items are distinct from the Chrome emergency update and should be tracked independently in vulnerability management workflows.
1 months ago
Google Chrome Stable Channel Updates Fix Desktop Vulnerabilities
Google released security updates for **Chrome Stable Channel on Desktop** to address vulnerabilities affecting Windows, macOS, and Linux systems. One advisory covered versions prior to **`146.0.7680.164/165`** on Windows and macOS and **`146.0.7680.164`** on Linux, with the Canadian Centre for Cyber Security urging organizations to review Google’s bulletin and deploy updates as they become available. A subsequent advisory addressed additional Chrome desktop flaws in versions prior to **`147.0.7727.55/56`** on Windows and macOS and **`147.0.7727.55`** on Linux. The Canadian Centre for Cyber Security again called on users and administrators to apply the latest browser updates promptly, underscoring continued patching activity for Chrome across supported desktop platforms.
3 weeks ago