Google has released an urgent security update for its Chrome desktop browser to address 21 vulnerabilities, including a critical zero-day flaw that is actively being exploited in the wild.
Users are strongly urged to update their browsers immediately to version 146.0.7680.177/.178 for Windows and Mac, or 146.0.7680.177 for Linux .
Active Zero-Day Threat
The most severe vulnerability patched in this release is CVE-2026-5281, a high-severity “use after free” memory flaw located within the Dawn component.
Google has explicitly confirmed that an exploit for this specific vulnerability exists in the wild, indicating that threat actors are actively leveraging it in targeted attack campaigns.
This type of memory corruption bug typically allows attackers to execute malicious code or trigger system crashes when a victim visits a compromised website.
Alongside the urgent zero-day patch, Google resolved 20 other security flaws reported by external researchers and internal teams.
The majority of these are high-severity memory safety issues, including multiple heap buffer overflows and use-after-free bugs across essential browser components like WebCodecs, ANGLE, and the V8 JavaScript engine.
Google notes that these fixes were facilitated by advanced internal testing frameworks, such as AddressSanitizer and MemorySanitizer, which help catch severe flaws before they reach the stable channel.
To assist security teams and administrators in tracking the latest patches, below is the complete list of all 21 disclosed CVEs addressed in this Chrome update.
| CVE ID | Severity | Description | Reporter |
|---|---|---|---|
| CVE-2026-5272 | High | Heap buffer overflow in GPU | inspector-ambitious |
| CVE-2026-5273 | High | Use after free in CSS | Anonymous |
| CVE-2026-5274 | High | Integer overflow in Codecs | heapracer |
| CVE-2026-5275 | High | Heap buffer overflow in ANGLE | c6eed09fc8b174b0f3eebedcceb1e792 |
| CVE-2026-5276 | High | Insufficient policy enforcement in WebUSB | Ariel Simon |
| CVE-2026-5277 | High | Integer overflow in ANGLE | c6eed09fc8b174b0f3eebedcceb1e792 |
| CVE-2026-5278 | High | Use after free in Web MIDI | c6eed09fc8b174b0f3eebedcceb1e792 |
| CVE-2026-5279 | High | Object corruption in V8 | Hyeonjun Ahn |
| CVE-2026-5280 | High | Use after free in WebCodecs | heapracer |
| CVE-2026-5281 | High | Use after free in Dawn | 86ac1f1587b71893ed2ad792cd7dde32 |
| CVE-2026-5282 | High | Out of bounds read in WebCodecs | c6eed09fc8b174b0f3eebedcceb1e792 |
| CVE-2026-5283 | High | Inappropriate implementation in ANGLE | sweetchip |
| CVE-2026-5284 | High | Use after free in Dawn | 86ac1f1587b71893ed2ad792cd7dde32 |
| CVE-2026-5285 | High | Use after free in WebGL | c6eed09fc8b174b0f3eebedcceb1e792 |
| CVE-2026-5286 | High | Use after free in Dawn | sweetchip |
| CVE-2026-5287 | High | Use after free in PDF | Syn4pse |
| CVE-2026-5288 | High | Use after free in WebView | |
| CVE-2026-5289 | High | Use after free in Navigation | |
| CVE-2026-5290 | High | Use after free in Compositing | |
| CVE-2026-5291 | Medium | Inappropriate implementation in WebGL | heapracer |
| CVE-2026-5292 | Medium | Out of bounds read in WebCodecs |
Chrome users are strongly advised to manually check for updates by navigating to their browser settings menu immediately.
Organizations and security teams relying on Chrome-based platforms should prioritize deploying this patch across their environments to safeguard against remote code execution attempts.
The browser will automatically apply the fix upon restarting, effectively closing the window of opportunity for threat actors.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
