What is the most severe vulnerability fixed in Chrome 146?

The most severe is CVE-2026-3913, a critical heap memory error in the WebML component that allows remote code execution.

How many security vulnerabilities does the Chrome 146 update address?

The update addresses a total of 29 security vulnerabilities, including one critical and eleven high-risk flaws.

Which browser components are primarily affected by these flaws?

The WebML and Web Speech components are the primary areas affected by the most significant memory corruption and out-of-bounds read vulnerabilities.

Are there any reports of these vulnerabilities being exploited in the wild?

No, Google has stated that they have not observed any active attacks using these vulnerabilities at the time of the release.

What versions of Chrome contain the security patches?

Patched versions include 146.0.7680.71/72 for Windows and macOS, 146.0.7680.71 for Linux, 146.0.7680.111 for Android, and 146.0.7680.40 for iOS.

Advisory

Google Patches Critical WebML Vulnerability and 28 Other Flaws in Chrome 146

published: March 12, 2026

Take action: If you are using Google Chrome or other Chromium-based browsers (Edge, Brave, Vivaldi, Opera...) patch your browser ASAP. Google wouldn't push a new update so soon unless it's serious. Even if you want to debate the severity scoring, it's better to just update. Because while you debate, hackers will find a way to exploit them.

Learn More

Google has released a security update for Chrome on March 10, 2026, elevating the browser to version 146.0.7680.71/72 for Windows and macOS, and 146.0.7680.71 for Linux. This release includes 29 security fixes designed to address several high-impact vulnerabilities.

Vulnerabilities summary:

Critical and high severity flaws:

CVE-2026-3913 (CVSS TBD, Google severity Critical): Heap buffer overflow in WebML. This flaw carries a significant risk of arbitrary code execution and was awarded a $33,000 bounty.
CVE-2026-3914 (CVSS TBD, Google severity High): Integer overflow in WebML.
CVE-2026-3915 (CVSS TBD, Google severity High): Heap buffer overflow in WebML.
CVE-2026-3916 (CVSS TBD, Google severity High): Out of bounds read in Web Speech.
CVE-2026-3917 through CVE-2026-3924 (CVSS TBD, Google severity High): Multiple Use-after-free vulnerabilities affecting various components including Agents, WebMCP, Extensions, TextEncoding, MediaStream, WebMIDI, and WindowDialog.
CVE-2026-3920 (CVSS TBD, Google severity High): Out of bounds memory access in WebML.

The update also addresses 17 additional bugs of Medium and Low severity, including incorrect security UI in LookalikeChecks and PictureInPicture, insufficient policy enforcement in PDF and DevTools, and a heap buffer overflow in the Skia graphics library.

All Chrome versions prior to 146.0.7680.71 are vulnerable to these security flaws. Users running any version below these build numbers should update immediately.

Patched Versions:

Chrome 146.0.7680.71 or later for Linux
Chrome 146.0.7680.71 or 146.0.7680.72 for Windows and Mac

Google is restricting access to detailed technical information and bug links until the majority of users have applied the security patches. This is a standard precaution to prevent widespread exploitation of the newly disclosed flaws.

Chrome users are strongly advised to update their browsers ASAP by navigating to Chrome menu > Help > About Google Chrome and relaunching once the download is complete. Users who do not close their browsers regularly should manually check for updates to ensure they receive these critical security protections.

Google Patches Critical WebML Vulnerability and 28 Other Flaws in Chrome 146

Read More
State of (in)security - Week 26, 2023
Steam removes game demo distributing Information-Stealing malware
Google releases one more urgent Chrome update
WhisperPair Flaw Enables Bluetooth Hijacking and Tracking
VMware patches critical vulnerability in Workstation and Fusion