Chrome update patches a critical vulnerability – and 28 others

Google has updated the Chrome web browser to version 146 developer branch, largely unnoticed. The company began distribution overnight on Wednesday. However, it was only overnight on Thursday that the developers filled in the release announcement with information about the security vulnerabilities closed. And there are quite a few: programmers have fixed 29 vulnerabilities in the first official Chrome 146 release.

In the release announcement, Google discusses that the updated browser version fixes a critical vulnerability. In the WebML component, attackers can provoke memory errors on the heap when rendering manipulated HTML pages, thereby executing injected code (CVE-2026-3913, no CVSS score, risk according to Google “critical”). Security vulnerability reporter Tobias Wienand receives a reward of $33,000 from Google for this.

Of the eleven security flaws classified as “high” risk, three are particularly noteworthy. An integer overflow in WebML (CVE-2026-3914, no CVSS score, risk according to Google “high”) even earns the discoverer $43,000 as a bug bounty reward, the same amount was awarded again to Wienand for another heap-based buffer overflow in the module (CVE-2026-3915, no CVSS score, risk according to Google “high”). For reporting a vulnerability that allows carefully crafted web pages to trigger read access outside of intended memory boundaries in the “Web Speech” component, a reward of $36,000 was given (CVE-2026-3916, no CVSS score, risk according to Google “high”).

Google Chrome: Flood of security vulnerabilities

The release announcement contains further brief information about the vulnerabilities that the new versions fix. The version numbers for the bug fixes are Chrome 146.0.7680.111 for Android, 146.0.7680.40 for iOS, 146.0.7680.71 for Linux, and 146.0.7680.71/72 for macOS and Windows.

At least: Google does not mention that one or more of the vulnerabilities are already being attacked on the internet. Nevertheless, Chrome users should ensure that their web browser is up to date. This can be done by opening the version dialog, which opens after clicking the icon with the three stacked dots to the right of the address bar and navigating to “Help” – “About Google Chrome”. This shows the current version and offers to install the update if available. On Linux, the distribution's software management is usually responsible for updates. On smartphones, updated Chrome versions should appear in the app stores soon; however, with the peculiarity that this happens with a significant delay, and on some devices, waiting times of several days to weeks may be expected.

Since the security vulnerabilities appear in the Chromium project, other web browsers based on it, such as Microsoft's Edge, are also likely to release updated versions in the foreseeable future. Users should install these promptly. Just last week, Google closed three security vulnerabilities in the Chrome web browser classified as critical risk. On Microsoft's Patch Tuesday in March, the list of vulnerabilities also appeared for the Edge browser.

(dmk)