Chrome security update fixes 8 high-severity bugs in desktop browser
4 min. read 
Published on
Google has released a new Chrome desktop security update that fixes eight high-severity vulnerabilities. The affected versions include Chrome builds before 146.0.7680.164/165 on Windows and macOS, and before 146.0.7680.164 on Linux. Google says the rollout started on March 23, 2026, and will continue over the coming days and weeks.
The short answer is simple. Users should update Chrome as soon as the new version appears in the browser. Several of the flaws involve memory safety issues such as heap buffer overflows, out-of-bounds reads, integer overflow, and use-after-free bugs. Those bug classes often matter because attackers can abuse them through malicious web content.
Google has not said any of these eight flaws were exploited in the wild at the time of the advisory. It also restricted public bug details for now, which the company says helps protect users until more systems receive the fix.
What Chrome users need to know
This update covers Chrome on Windows, macOS, and Linux. Windows and Mac systems are receiving version 146.0.7680.164 or 146.0.7680.165, while Linux is receiving version 146.0.7680.164. Google’s release note says the update is part of the stable channel rollout, so some devices may get it slightly later than others.
Most of the fixed bugs sit in core browser components that process web content. That matters because Chrome interacts with complex audio, graphics, font, identity, and rendering systems every time users open modern websites. Even when a flaw only allows code execution inside the browser sandbox, it still creates a serious security risk and can become more dangerous if chained with another weakness.
Google’s own wording stays measured. The company says the build includes eight security fixes and notes that it may keep bug details restricted until a majority of users install the patch. That is standard practice for browser vendors when a patch could help attackers reverse-engineer the flaw before users update.
Fixed versions by platform
| Platform | Patched version |
|---|---|
| Windows | 146.0.7680.164/165 |
| macOS | 146.0.7680.164/165 |
| Linux | 146.0.7680.164 |
The eight vulnerabilities fixed in this release
| CVE | Component | Issue type |
|---|---|---|
| CVE-2026-4673 | WebAudio | Heap buffer overflow |
| CVE-2026-4674 | CSS | Out-of-bounds read |
| CVE-2026-4675 | WebGL | Heap buffer overflow |
| CVE-2026-4676 | Dawn | Use after free |
| CVE-2026-4677 | WebAudio | Out-of-bounds read |
| CVE-2026-4678 | WebGPU | Use after free |
| CVE-2026-4679 | Fonts | Integer overflow |
| CVE-2026-4680 | FedCM | Use after free |
Google listed all eight issues in its March 23 stable channel advisory. It also disclosed a $7,000 reward for CVE-2026-4673 in WebAudio, while the reward amounts for the other bugs remain listed as TBD.
One of the more important entries is CVE-2026-4680 in FedCM. The NVD description says it is a use-after-free flaw that could allow a remote attacker to execute arbitrary code inside a sandbox through a crafted HTML page. Another example is CVE-2026-4673 in WebAudio, which NVD says could allow an out-of-bounds memory write via a crafted page.
Why this update matters
Browser bugs do not need much user interaction in many cases. A victim may only need to open a malicious page, click a link, or load harmful content embedded in a compromised site or ad. Canada’s Cyber Centre summarized the risk in simple terms, saying a remote attacker could entice a user to open a specially crafted web page on a vulnerable browser to exploit the issues.
This release also shows how heavily modern browsers depend on memory safety hardening and large-scale fuzzing. Google credited internal and automated detection tools including AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL for catching many security bugs before they reach stable users.
What users and admins should do now
- Open Chrome.
- Click the three-dot menu.
- Go to Help.
- Click About Google Chrome.
- Let Chrome download the update.
- Restart the browser when prompted.
For businesses, patching should move quickly across managed endpoints. Google’s rollout may take time, but admins do not need to wait if the update already appears in their software distribution and browser management systems.
Quick summary
- Google released a Chrome desktop update on March 23, 2026.
- The update fixes eight high-severity vulnerabilities.
- Patched versions are 146.0.7680.164/165 for Windows and macOS, and 146.0.7680.164 for Linux.
- Google has not said these bugs were under active exploitation in this advisory.
- Users should update as soon as the patch becomes available.
FAQ
Google’s March 23 advisory does not say these eight flaws were exploited in the wild. It describes them as security fixes in the stable desktop channel release.
Windows and macOS users should be on 146.0.7680.164 or 146.0.7680.165. Linux users should be on 146.0.7680.164 or later.
Yes, at least some of the official descriptions say a crafted HTML page could trigger the vulnerability. NVD uses that wording for CVE-2026-4673 and CVE-2026-4680.
Google says it may keep bug details and links restricted until a majority of users receive the fix. This reduces the chance of attackers using patch details before people update.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages