Chrome security update fixes 26 flaws, including critical bugs in WebGL and V8

Google has released a new Chrome desktop security update that fixes 26 security vulnerabilities across Windows, macOS, and Linux. The latest Stable channel build moves Chrome to version 146.0.7680.153/154 on Windows and macOS, and 146.0.7680.153 on Linux.

This is a significant patch because Google lists three of the flaws as critical and 22 as high severity. The affected components include WebGL, WebRTC, V8, Blink, ANGLE, CSS, WebAudio, Dawn, Navigation, Network, PDFium, Extensions, Skia, and the Digital Credentials API.

Users should update Chrome as soon as possible. Google says the rollout will continue over the coming days and weeks, but the fixes are already included in the published desktop builds.

What Google fixed in the latest Chrome update

Google’s official release note says this desktop update includes 26 security fixes. The most serious issues include out-of-bounds memory access in WebGL, out-of-bounds read and write in WebGL, and a use-after-free flaw in Base.

Those bug classes matter because memory corruption issues can sometimes open the door to browser crashes, sandbox bypass attempts, or code execution. Google does not say every one of these 26 flaws directly enables remote code execution on its own, but several of the critical and high-severity bugs fall into categories attackers often target for serious compromise.

Severity breakdown

Severity	Count
Critical	3
High	22
Medium	1
Total	26

This breakdown comes from Google’s official Chrome release post and the published CVE list.

Most important vulnerabilities patched

Google highlights three critical issues in this release. Two affect WebGL, and one affects Base.

Critical flaws

CVE	Severity	Component	Vulnerability type
CVE-2026-4439	Critical	WebGL	Out-of-bounds memory access
CVE-2026-4440	Critical	WebGL	Out-of-bounds read and write
CVE-2026-4441	Critical	Base	Use-after-free

Source: Google Chrome Releases.

Beyond those, Google lists a long set of high-severity bugs in major browser subsystems. Several of them affect WebRTC, V8, Blink, ANGLE, and Network, which are all common targets because they process complex content from websites and apps.

Other notable high-severity flaws

• CVE-2026-4444: Stack buffer overflow in WebRTC
• CVE-2026-4445: Use-after-free in WebRTC
• CVE-2026-4446: Use-after-free in WebRTC
• CVE-2026-4450: Out-of-bounds write in V8
• CVE-2026-4454: Use-after-free in Network
• CVE-2026-4455: Heap buffer overflow in PDFium
• CVE-2026-4457: Type confusion in V8
• CVE-2026-4463: Heap buffer overflow in WebRTC

These entries appear in Google’s official desktop release bulletin for March 18, 2026.

Why this update matters

Chrome security updates often fix bugs before attackers can use them widely, and Google follows a standard practice of limiting public access to full bug details until enough users have updated. Google repeats that policy in this release note and says it may also keep some restrictions in place when third-party libraries remain unpatched elsewhere.

That means patching early matters. Once researchers and attackers compare the updated code with older builds, exploit development can become easier, especially for memory corruption bugs in widely exposed browser components. This is an inference based on Google’s disclosure policy and normal browser security practice.

The release also follows another recent Chrome security fix from March 13, when Google patched CVE-2026-3909, a high-severity Skia flaw that the company said had already been exploited in the wild. That earlier case adds urgency to the current update even though Google has not said these new 26 flaws are under active exploitation.

A researcher found a large share of the bugs

One detail that stands out in Google’s bulletin is the repeated appearance of the pseudonymous researcher “c6eed09fc8b174b0f3eebedcceb1e792.” Google credits that researcher with reporting one critical flaw and several high-severity bugs in WebAudio, WebRTC, and Navigation.

That concentration does not change the risk by itself, but it shows how much of this patch cycle came from focused external research rather than random bug discovery.

Which Chrome versions users need

Google says the updated desktop versions are:

• Windows: 146.0.7680.153 or 146.0.7680.154
• macOS: 146.0.7680.153 or 146.0.7680.154
• Linux: 146.0.7680.153

Google also says Android releases contain the same security fixes as the corresponding desktop builds unless otherwise noted. Chrome 146.0.76380.153 for Android started rolling out on March 18, 2026.

What users and IT teams should do now

Users should open Chrome and check whether the browser has already updated to the latest stable version. Enterprise admins should push the patched build quickly across managed fleets, especially where users handle external web content, file downloads, PDFs, conferencing tools, or browser-based business apps. This is an inference from the affected components and normal enterprise patching priorities.

Immediate steps

• Update Chrome on all desktop systems
• Restart the browser after the update finishes
• Verify the installed version matches the fixed build
• Prioritize systems that access untrusted websites or web apps
• Watch for follow-up Chrome releases over the next several days

FAQ