Google has officially released Chrome version 146 to the stable channel, delivering crucial security updates for Windows, Mac, and Linux users.
Rolling out over the coming days, Chrome 146.0.7680.71 for Linux and 146.0.7680.71/72 for Windows and Mac addresses 29 security vulnerabilities.
Many of these flaws, if left unpatched, could allow remote attackers to execute arbitrary code, compromise system integrity, or trigger denial-of-service conditions.
The most severe vulnerability resolved in this release is CVE-2026-3913, a Critical-severity heap buffer overflow in the WebML component.
Discovered by security researcher Tobias Wienand, this memory corruption issue earned a $33,000 bug bounty. A heap buffer overflow occurs when a program writes more data to a memory location than the allocated size allows.
Threat actors can exploit this weakness to overwrite adjacent memory structures, potentially leading to remote code execution (RCE) when a user simply visits a maliciously crafted web page.
High-Severity Vulnerabilities Patched
In addition to the critical flaw, Google patched 11 High-severity vulnerabilities. The WebML API proved to be a frequent target in this update cycle, with two additional High-severity bugs (CVE-2026-3914 and CVE-2026-3915) earning $43,000 each in bounty payouts.
Other significant High-severity patches include out-of-bounds read and use-after-free (UAF) vulnerabilities across various browser components.
UAF flaws occur when a program attempts to access memory that has been freed, a technique attackers frequently use to bypass browser security sandboxes.
Key High-severity fixes include:
- CVE-2026-3916: An out-of-bounds read flaw in the Web Speech component.
- CVE-2026-3917 & CVE-2026-3918: Use-after-free vulnerabilities in the Agents and WebMCP components.
- CVE-2026-3919: A use-after-free bug in Chrome Extensions.
- CVE-2026-3921 to CVE-2026-3924: Multiple use-after-free bugs affecting TextEncoding, MediaStream, WebMIDI, and WindowDialog.
The update also resolves multiple Medium and Low-severity issues. These range from incorrect security UI implementations in components like PictureInPicture to insufficient policy enforcement in PDF and DevTools.
Google paid out well over $150,000 in combined bug bounties to independent researchers for identifying these issues before they could be actively exploited.
To protect users, Google restricts access to specific bug details and exploit links until a majority of the user base has updated their browsers.
This prevents threat actors from reverse-engineering the patches to target vulnerable individuals. As attackers increasingly target web browsers, individuals and organizations must prioritize timely security updates to protect against sophisticated threats.
To ensure your browser is protected, open Google Chrome, navigate to the three-dot menu, select “Help,” and click on “About Google Chrome.”
The browser will automatically check for the version 146 update and install it. A quick browser restart is required to apply the latest protections, reinforcing your defense-in-depth strategy against emerging vulnerabilities.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
