Google Patches 26 Vulnerabilities in Major Chrome Update, Three Critical
Take action: If you are using Google Chrome or other Chromium-based browsers (Edge, Brave, Vivaldi, Opera...) patch your browser ASAP. This is another huge patch for Chrome and Chromium browsers, and hackers will start exploiting these very soon. Even if you want to debate the severity scoring, it's better to just update. All your tabs reopen after an update, so don't delay.
Learn More
Google has released a massive security update for the Chrome desktop browser fixing 26 security flaws in core browser components, Network stack, and the Digital Credentials API.
Critical vulnerabilities:
- CVE-2026-4439 (CVSS score TBD) — Out of bounds memory access in WebGL,
- CVE-2026-4440 (CVSS score TBD) — Out of bounds read and write in WebGL. The combination of read and write primitives makes this flaw particularly valuable for exploit chains requiring both information leakage and precise memory manipulation.
- CVE-2026-4441 (CVSS score TBD) — Use after free in Base. A use-after-free vulnerability in a low-level core component can often be leveraged to gain powerful exploitation primitives affecting multiple browser subsystems.
The high-severity vulnerabilities are:
- CVE-2026-4442 (CVSS score TBD) — Heap buffer overflow in CSS.
- CVE-2026-4443 (CVSS score TBD) — Heap buffer overflow in WebAudio.
- CVE-2026-4444 (CVSS score TBD) — Stack buffer overflow in WebRTC.
- CVE-2026-4445 (CVSS score TBD) — Use after free in WebRTC.
- CVE-2026-4446 (CVSS score TBD) — Use after free in WebRTC
- CVE-2026-4447 (CVSS score TBD) — Inappropriate implementation in V8
- CVE-2026-4448 (CVSS score TBD) — Heap buffer overflow in ANGLE
- CVE-2026-4449 (CVSS score TBD) — Use after free in Blink
- CVE-2026-4450 (CVSS score TBD) — Out of bounds write in V8
- CVE-2026-4451 (CVSS score TBD) — Insufficient validation of untrusted input in Navigation
- CVE-2026-4452 (CVSS score TBD) — Integer overflow in ANGLE
- CVE-2026-4453 (CVSS score TBD) — Integer overflow in Dawn
- CVE-2026-4454 (CVSS score TBD) — Use after free in Network
- CVE-2026-4455 (CVSS score TBD) — Heap buffer overflow in PDFium
- CVE-2026-4456 (CVSS score TBD) — Use after free in Digital Credentials API
- CVE-2026-4457 (CVSS score TBD) — Type Confusion in V8,
- CVE-2026-4458 (CVSS score TBD) — Use after free in Extensions
- CVE-2026-4459 (CVSS score TBD) — Out of bounds read and write in WebAudio
- CVE-2026-4460 (CVSS score TBD) — Out of bounds read in Skia
- CVE-2026-4461 (CVSS score TBD) — Inappropriate implementation in V8
- CVE-2026-4462 (CVSS score TBD) — Out of bounds read in Blink
- CVE-2026-4463 (CVSS score TBD) — Heap buffer overflow in WebRTC
The single medium-severity issue is CVE-2026-4464 (CVSS score TBD) — Integer overflow in ANGLE.
The release is Stable channel to version 146.0.7680.153/154 for Windows and macOS and 146.0.7680.153 for Linux. Published on March 18, 2026, the update
Google is restricting access to detailed bug reports and links until a majority of users have applied the patch to reduce the risk of exploitation.
Users and enterprise administrators are strongly urged to update Google Chrome to the latest version as soon as possible by navigating to Help > About Google Chrome, which will trigger a manual update check.
