Google releases emergency Chrome update to fix 10 security vulnerabilities
3 min. read 
Published on
Google has shipped a Chrome security update that moves the Stable channel to 145.0.7632.159/160 on Windows and macOS, and 145.0.7632.159 on Linux. Google published the Stable update notice on March 3, 2026, and the rollout will take place over the coming days and weeks.
Google says the release includes 10 security fixes. Three of them carry a Critical severity rating, and the highest-paid fix earned a $33,000 bug bounty.
Google has not reported active exploitation for these bugs in the Stable update post. Google also says it may restrict bug details until most users install the update, which keeps weaponization harder while the patch reaches more devices.
If you run Chrome on managed endpoints, push the update fast. Graphics bugs in ANGLE and Skia can allow out-of-bounds memory access through a crafted page, which can sometimes lead to crashes or more serious outcomes depending on the exploit chain.
Versions and severity at a glance
| Platform | New Stable version | Total fixes | Critical | High |
|---|---|---|---|---|
| Windows, macOS | 145.0.7632.159/160 | 10 | 3 | 7 |
| Linux | 145.0.7632.159 | 10 | 3 | 7 |
Google lists all 10 fixes in the Chrome Releases bulletin.
The 10 patched CVEs
| CVE | Severity | Component | Issue type | Reporter and reward |
|---|---|---|---|---|
| CVE-2026-3536 | Critical | ANGLE | Integer overflow | cinzinga, $33,000 |
| CVE-2026-3537 | Critical | PowerVR | Object lifecycle | Zhihua Yao (KunLun Lab), $32,000 |
| CVE-2026-3538 | Critical | Skia | Integer overflow | Symeon Paraschoudis |
| CVE-2026-3539 | High | DevTools | Object lifecycle | Zhenpeng (Leo) Lin (depthfirst) |
| CVE-2026-3540 | High | WebAudio | Inappropriate implementation | Davi Antônio Cruz |
| CVE-2026-3541 | High | CSS | Inappropriate implementation | Syn4pse |
| CVE-2026-3542 | High | WebAssembly | Inappropriate implementation | qymag1c |
| CVE-2026-3543 | High | V8 | Inappropriate implementation | qymag1c |
| CVE-2026-3544 | High | WebCodecs | Heap buffer overflow | c6eed09fc8b174b0f3eebedcceb1e792 |
| CVE-2026-3545 | High | Navigation | Insufficient data validation |
What users should do
- Update Chrome: Settings → Help → About Google Chrome, then let Chrome download the update and restart.
- Update via enterprise tools: push the new Stable build across managed devices as soon as it appears in your update channels.
- Keep an eye on crash spikes: memory-safety fixes can change stability profiles briefly after rollout.
What enterprise teams should watch
- Systems that render lots of untrusted content, such as kiosk browsers and shared workstations.
- Endpoints with GPU-heavy workloads, since two of the Critical issues sit in graphics components.
- Linux fleets that lag behind, since the Linux version number differs slightly from Windows and macOS.
FAQ
Google does not claim active exploitation in the Stable update bulletin. Google says it may keep bug details restricted until most users update.
The NVD entry for CVE-2026-3536 describes an integer overflow in ANGLE that can lead to out-of-bounds memory access via a crafted HTML page.
The Canadian Centre for Cyber Security advisory says versions prior to 145.0.7632.159/160 on Windows and macOS, and prior to 145.0.7632.159 on Linux.
Google says the update will roll out over the coming days and weeks.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages