Chrome 146 Update Patches High-Severity Vulnerabilities

Summary

Google released Chrome 146 to fix eight high-severity memory safety bugs across seven components, including heap buffer overflows in WebAudio and WebGL, out-of-bounds read issues in CSS, and use-after-free flaws in Dawn, WebGPU, and FedCM. The update was rolled out in versions 146.0.7680.164/165 for Windows and macOS, and 146.0.7680.164 for Linux. Users are strongly advised to update immediately, as Chrome vulnerabilities are frequently targeted in real-world attacks.

Full text

Google on Monday announced a fresh Chrome 146 update that resolves eight high-severity memory safety vulnerabilities. First on the list is CVE-2026-4673, a heap buffer overflow issue in WebAudio that earned the reporting researcher a $7,000 bug bounty reward. The same researcher discovered and reported CVE-2026-4677, an out-of-bounds read bug in WebAudio, but Google says it has yet to determine the bounty amount to be awarded for it. In fact, the internet giant has disclosed only the amount paid for the first WebAudio flaw, but not the amounts to be handed out for the remaining vulnerabilities. The latest Chrome update also resolves an out-of-bounds read bug in CSS (CVE-2026-4674), a heap buffer overflow defect in WebGL (CVE-2026-4675), three use-after-free issues in Dawn, WebGPU, and FedCM (CVE-2026-4676, CVE-2026-4678, and CVE-2026-4680), and an integer overflow vulnerability in Fonts (CVE-2026-4679). Fixes for all security defects were included in Chrome versions 146.0.7680.164/165 for Windows and macOS, and version 146.0.7680.164 for Linux.Advertisement. Scroll to continue reading. Users are advised to update their browsers as soon as possible, as Chrome vulnerabilities are often targeted in attacks. Roughly two weeks ago, Google rolled out an emergency update to resolve two Chrome zero-days that were discovered internally only days after Chrome 146 was promoted to the stable channel. The internet giant did not share information on the two zero-days, tracked as CVE-2026-3909 and CVE-2026-3910, but vulnerabilities discovered by Google are often targeted by commercial surveillance vendors. Related: Critical Citrix NetScaler Vulnerability Poised for Exploitation, Security Firms Warn Related: M-Trends 2026: Initial Access Handoff Shrinks From Hours to 22 Seconds Related: QNAP Patches Four Vulnerabilities Exploited at Pwn2Own Related: Critical Quest KACE Vulnerability Potentially Exploited in Attacks Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Chip Services Firm Trio-Tech Says Subsidiary Hit by Ransomware Aqua’s Trivy Vulnerability Scanner Hit by Supply Chain AttackQNAP Patches Four Vulnerabilities Exploited at Pwn2Own Tycoon 2FA Fully Operational Despite Law Enforcement TakedownEclypsium Raises $25 Million for Device Supply Chain SecurityNavia Data Breach Impacts 2.7 MillionThousands of Magento Sites Hit in Ongoing Defacement CampaignAllure Security Raises $17 Million for Online Brand Protection Latest News RSAC 2026 Conference Announcements Summary (Day 1)Extortion Group Claims It Hacked AstraZenecaWebinar Today: Putting CIS Controls and Benchmarks into Practice3.1 Million Impacted by QualDerm Data BreachIran Built a Vast Camera Network to Control Dissent. Israel Turned It Into a Targeting ToolCritical Citrix NetScaler Vulnerability Poised for Exploitation, Security Firms WarnMazda Says Employee, Partner Information Stolen in CyberattackStryker Says Malicious File Found During Probe Into Iran-Linked Attack Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the Move7AI has appointed Israel Barak as its first Chief Information Security Officer.Brian Harrell has been appointed Chief Security Officer at FirstEnergy.eSentire has named James C. Foster as Chief Executive Officer.More People On The MoveExpert Insights The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-4673
• cve — CVE-2026-4677
• cve — CVE-2026-4674
• cve — CVE-2026-4675
• cve — CVE-2026-4676
• cve — CVE-2026-4678
• cve — CVE-2026-4680
• cve — CVE-2026-4679
• cve — CVE-2026-3909
• cve — CVE-2026-3910