Google Chrome 146 Patches 29 Vulnerabilities: One Rated Critical
Google Chrome 146 Patches 29 Vulnerabilities: One Rated Critical
- Why Enterprise RAID Rebuilding Succeeds Where Consumer Arrays Fail?
- Linus Torvalds Rejects MMC Subsystem Updates for Linux 7.0: “Complete Garbage”
- The Man Who Maintained Sudo for 30 Years Now Struggles to Fund the Work That Powers Millions of Servers
- How Close Are Quantum Computers to Breaking RSA-2048?
- Why Windows 10 Users Are Flocking to Zorin OS 18 Instead of Linux Mint?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
Google Chrome 146 Patches 29 Vulnerabilities — One Rated Critical
Google’s latest stable release addresses a critical heap buffer overflow in the WebML engine alongside eleven high-severity flaws, with researchers collecting over $119,000 in bug bounties for their discoveries.
Google officially promoted Chrome 146 to the stable channel on March 10, 2026, delivering fixes for 29 tracked security vulnerabilities across its Windows, macOS, and Linux desktop builds. The release — versioned 146.0.7680.71 for Linux and 146.0.7680.71 / 146.0.7680.72 for Windows and macOS — marks one of the more significant patch drops of the year, with memory-corruption bugs dominating the advisory.
The most alarming finding is CVE-2026-3913, a critical-severity heap buffer overflow nestled inside Chrome’s WebML component — the browser’s machine-learning inference layer. Security researcher Tobias Wienand reported the flaw and was awarded a $33,000 bug bounty by Google’s Vulnerability Reward Program. Heap buffer overflows arise when a program writes beyond the bounds of an allocated memory block, potentially overwriting adjacent data structures; in a browser context, this class of bug can enable a remote attacker to execute arbitrary code simply by luring a victim to a weaponised page.
CVE-2026-3913 (critical, WebML) — $33,000 awarded to Tobias Wienand.
CVE-2026-3914 & CVE-2026-3915 (high, WebML) — $43,000 each, making WebML the single most costly component in this cycle.
Full Vulnerability Breakdown
Of the 29 fixes, 25 were assigned public CVE identifiers. The remaining four were internal Google findings not requiring external disclosure. The severity distribution: 1 Critical, 11 High, 11 Medium, and 5 Low.
| CVE | Type | Component |
|---|---|---|
| CVE-2026-3913 | Heap buffer overflow | WebML |
| CVE | Type | Component |
|---|---|---|
| CVE-2026-3914 | Integer overflow | WebML |
| CVE-2026-3915 | Heap buffer overflow | WebML |
| CVE-2026-3916 | Out-of-bounds read | Web Speech |
| CVE-2026-3917 | Use-after-free | Agents |
| CVE-2026-3918 | Use-after-free | WebMCP |
| CVE-2026-3919 | Use-after-free | Extensions |
| CVE-2026-3920 | Out-of-bounds memory access | WebML |
| CVE-2026-3921 | Use-after-free | Text Encoding |
| CVE-2026-3922 | Use-after-free | MediaStream |
| CVE-2026-3923 | Use-after-free | WebMIDI |
| CVE-2026-3924 | Use-after-free | WindowDialog |
| CVE | Type | Component |
|---|---|---|
| CVE-2026-3925 | Incorrect security UI | LookalikeChecks |
| CVE-2026-3926 | Out-of-bounds read | V8 |
| CVE-2026-3927 | Incorrect security UI | Picture-in-Picture |
| CVE-2026-3928 | Insufficient policy enforcement | Extensions |
| CVE-2026-3929 | Side-channel information leakage | ResourceTiming |
| CVE-2026-3930 | Unsafe navigation | Navigation |
| CVE-2026-3931 | Heap buffer overflow | Skia |
| CVE-2026-3932 | Insufficient policy enforcement | |
| CVE-2026-3934 | Insufficient policy enforcement | ChromeDriver |
| CVE-2026-3935 | Incorrect security UI | Web App Installs |
| CVE-2026-3936 | Use-after-free | WebView |
| CVE | Type | Component |
|---|---|---|
| CVE-2026-3937 | Incorrect security UI | Downloads |
| CVE-2026-3938 | Insufficient policy enforcement | Clipboard |
| CVE-2026-3939 | Insufficient policy enforcement | |
| CVE-2026-3940 | Insufficient policy enforcement | DevTools |
| CVE-2026-3941 | Insufficient policy enforcement | DevTools |
| CVE-2026-3942 | Incorrect security UI | Picture-in-Picture |
Why These Bugs Matter
The WebML component — Chrome’s built-in layer for running on-device AI inference — appears four times across the critical and high tiers, suggesting the API’s attack surface is drawing serious scrutiny as its adoption grows. Use-after-free (UAF) flaws, which account for the majority of the high-severity findings, are a particularly attractive target for attackers: they allow code to reference memory that has already been freed, a technique routinely used to break out of browser security sandboxes.
If left unpatched, the most severe vulnerabilities in this release could allow a remote attacker to execute arbitrary code on a victim’s machine simply by directing them to a specially crafted webpage — no file download required.
How to Update
Chrome will pull the update automatically in the background, but a manual check and restart is the fastest path to protection:
chrome://settings/helpThe desktop release covers Windows 10/11, macOS, and Linux. Chrome for Android reached early stable rollout on March 5 as version 146.0.7680.65 and will continue its phased rollout to all Android users in the coming days. Chrome for iOS follows a separate schedule via the App Store.
Google has also announced a structural change alongside this release: Chrome’s stable update cycle is moving from four weeks to two weeks, a cadence shift designed to accelerate security patching. The full transition to this rhythm is expected to complete by autumn 2026.
