Severity
High
Analysis Summary
Google Chrome version 146 has been officially released to the stable channel, bringing important security updates for Windows, Mac, and Linux users. The update, delivered as 146.0.7680.71 for Linux and 146.0.7680.71/72 for Windows and Mac, fixes 29 security vulnerabilities that could otherwise allow attackers to compromise systems. If exploited, these weaknesses could enable remote code execution (RCE), system compromise, or denial-of-service (DoS) attacks, making this update critical for maintaining browser security.
The most severe issue addressed in this release is CVE-2026-3913, a critical heap buffer overflow vulnerability in Chrome’s WebML component. The flaw was discovered by a security researcher, who received a $33,000 bug bounty for reporting it. Heap buffer overflow vulnerabilities occur when a program writes more data to memory than the allocated space allows, which can overwrite nearby memory structures. Attackers could potentially exploit this flaw by luring users to a maliciously crafted webpage, enabling them to execute arbitrary code on the victim’s system.
In addition to the critical vulnerability, Google also fixed 11 High-severity flaws affecting multiple browser components. Several vulnerabilities were discovered in the WebML API, including CVE-2026-3914 and CVE-2026-3915, each earning $43,000 bug bounties. Other high-risk vulnerabilities include out-of-bounds read and use-after-free (UAF) issues in different components such as Web Speech, Chrome Extensions, Agents, WebMCP, TextEncoding, MediaStream, WebMIDI, and WindowDialog. These flaws are particularly dangerous because attackers often exploit UAF vulnerabilities to bypass browser security protections and gain unauthorized control.
Google also resolved several medium and low-severity issues, including incorrect security UI implementations in components like Picture-in-Picture and insufficient policy enforcement in PDF and DevTools. Overall, Google awarded more than $150,000 in bug bounties to researchers who responsibly disclosed these vulnerabilities before they could be exploited. To reduce the risk of attackers reverse-engineering the fixes, Google temporarily restricts access to detailed vulnerability information until most users update. Users are strongly advised to update Google Chrome by navigating to Menu → Help → About Google Chrome, which will automatically download version 146 and apply the latest security protections after a browser restart.
Impact
- Code Execution
- Gain Access
Indicators of Compromise
CVE
- CVE-2026-3916
- CVE-2026-3917
- CVE-2026-3919
- CVE-2026-3921
- CVE-2026-3924
- CVE-2026-3914
- CVE-2026-3915
- CVE-2026-3913
Remediation
- Update Google Chrome to version 146 or later to ensure all 29 security vulnerabilities are patched.
- Enable automatic browser updates so future security patches are installed without delay.
- Restart the browser after updating to ensure all security fixes are fully applied.
- Avoid visiting untrusted or suspicious websites, as some vulnerabilities can be exploited through malicious web pages.
- Limit or remove unnecessary browser extensions, and only install extensions from the official Chrome Web Store.
- Regularly review and update system security controls such as antivirus and endpoint protection solutions.
- Organizations should deploy patch management policies to ensure all endpoints receive Chrome updates promptly.
- Monitor security advisories related to **Google and apply recommended updates as soon as they become available.