Chrome 146 security update fixes 29 vulnerabilities, including a critical WebML flaw

Google has released Chrome 146 to the stable channel for Windows, Mac, and Linux, and the update includes 29 security fixes. The patched versions are Chrome 146.0.7680.71 for Linux and Chrome 146.0.7680.71/72 for Windows and Mac, with the rollout happening over the coming days and weeks.

The most serious issue fixed in this release is CVE-2026-3913, a critical heap buffer overflow in WebML. Google’s bulletin says researcher Tobias Wienand reported the flaw on February 10, 2026, and received a $33,000 reward.

For users, the key takeaway is simple. Update Chrome now. Google has not said these bugs were exploited in the wild, but several of the patched flaws are memory corruption issues that can become serious security risks if attackers weaponize them. Google also said it is restricting bug details until more users install the fix.

What Google patched

Google’s March 10 bulletin lists 29 security fixes across multiple Chrome components. The highest-profile bugs in this release affect WebML, but the update also addresses flaws in Web Speech, Agents, WebMCP, Extensions, TextEncoding, MediaStream, WebMIDI, WindowDialog, V8, PDF, ChromeDriver, DevTools, and other areas.

Several of the high-severity flaws involve use-after-free bugs, which attackers often target because they can lead to crashes, memory corruption, and in some cases arbitrary code execution. The update also fixes out-of-bounds reads, incorrect security UI issues, unsafe navigation, side-channel leakage, and policy enforcement weaknesses.

Google awarded significant bug bounties for some of these discoveries. The company said CVE-2026-3914 and CVE-2026-3915 each earned $43,000, while CVE-2026-3916 earned $36,000.

Highest-severity vulnerabilities in Chrome 146

Source: Google Chrome Releases bulletin.

Why this update matters

Browsers remain one of the most exposed pieces of software on any PC because they process untrusted web content all day. A flaw in a browser engine or web-facing component can give attackers a path to crash the browser, escape security boundaries, or run unwanted code after a victim opens a malicious page. That is why Chrome security updates matter even when Google has not reported active exploitation.

This release also stands out because WebML appears several times in the high-severity list. That does not mean the feature is under active attack, but it does show where security researchers focused attention during this cycle.

What users should do now

• Open Chrome
• Click the three-dot menu
• Go to <strong>Help</strong>
• Click <strong>About Google Chrome</strong>
• Let Chrome download the update
• Restart the browser to apply the patch

Google says the stable rollout will continue over the coming days and weeks, so some systems may receive it slightly later than others.

Version details

Source: Google Chrome Releases.

FAQ