Google released an emergency security update for its Chrome desktop browser on Tuesday, March 3, 2026, pushing version 145.0.7632.159/160 to Windows and macOS users and version 145.0.7632.159 to Linux users. The update, which began rolling out across the stable channel, patches ten confirmed security vulnerabilities — three of which carry a Critical rating, the most severe designation in Google’s four-tier vulnerability scale.

The update was announced directly through Google’s official Chrome Releases blog, which noted that access to full bug details may remain restricted until the majority of the user base has received the patch. This is standard practice for Google when vulnerabilities exist in shared third-party libraries that have not yet been fixed upstream.

The Critical Vulnerabilities

Leading the severity list is CVE-2026-3536, an integer overflow in ANGLE — Chrome’s cross-platform graphics abstraction layer — reported by security researcher cinzinga on February 18 and accompanied by a $33,000 bug bounty reward. The second Critical-rated flaw, CVE-2026-3537, is an object lifecycle issue in PowerVR, a graphics processing component, reported by Zhihua Yao of KunLun Lab on January 8 and awarded $32,000. The third Critical issue, CVE-2026-3538, is another integer overflow, this time in Skia, Chrome’s core 2D graphics engine, reported by Symeon Paraschoudis on February 17; the bounty amount for this one remains to be determined.

Integer overflow vulnerabilities in graphics libraries are particularly concerning because they can be triggered remotely through crafted web content — meaning a user could be compromised simply by visiting a malicious webpage. Object lifecycle issues, similarly, can result in use-after-free conditions that allow attackers to execute arbitrary code within the browser’s process space.

High-Severity Bugs Also Addressed

Beyond the three Critical flaws, seven additional vulnerabilities rated High are addressed in this release. These span a broad range of Chrome subsystems, including DevTools, WebAudio, CSS rendering, WebAssembly, Google’s V8 JavaScript engine, the WebCodecs API, and the browser’s navigation stack. A heap buffer overflow in WebCodecs (CVE-2026-3544) is of particular note, as buffer overflows in media processing components have historically been attractive targets for exploitation. One of the High-severity reports — CVE-2026-3545 in Navigation — was discovered internally by Google itself.

Google has not confirmed active exploitation of any of the ten vulnerabilities at the time of publishing. However, caution is warranted: Google restricts disclosure of technical specifics until a critical mass of users has patched, precisely because public details could enable threat actors to develop working exploits quickly. The proximity of this release to a confirmed zero-day from earlier in February (CVE-2026-2441, which saw active in-the-wild exploitation) further underscores the importance of prompt action.

Context and Recommendations

Chrome is available as a free download for Windows 10 and 11, macOS, and Linux. Users who already have Chrome installed will receive this update automatically in the background, but the patch is not activated until a full browser restart is performed. Organizations managing Chrome deployments via enterprise policy should prioritize pushing this update to endpoints given the Critical-rated components involved.

Security researchers whose reports contributed to this update were acknowledged by Google, which also credited its own automated tooling — including AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, and fuzzing frameworks libFuzzer and AFL — for detecting a portion of the underlying bugs during development cycles before they could reach end users.

Given the severity of the patched flaws and Google’s history of rapid weaponization of Chrome vulnerabilities once details become public, users and administrators alike are advised to treat this update with urgency. Waiting for automatic background updates is insufficient; restarting Chrome is required to complete protection.