ACCORDING to Google, Chrome 146 update patches eight high-severity memory safety vulnerabilities across seven components, with fixes rolled into Chrome versions 146.0.7680.164/165 for Windows and macOS, and 146.0.7680.164 for Linux. The advisory highlights CVE-2026-4673, a heap buffer overflow in WebAudio, which earned the reporting researcher a $7,000 bug bounty, and CVE-2026-4677, an out-of-bounds read in WebAudio, for which the bounty amount has yet to be determined.
It also closes CVE-2026-4674 (out-of-bounds read in CSS), CVE-2026-4675 (heap buffer overflow in WebGL), three use-after-free flaws in Dawn, WebGPU and FedCM (CVE-2026-4676, CVE-2026-4678 and CVE-2026-4680), and CVE-2026-4679 (integer overflow in Fonts). Roughly two weeks earlier, Google issued an emergency update to address two Chrome zero-days tracked as CVE-2026-3909 and CVE-2026-3910, with details not disclosed. Users are urged to update promptly as Chrome vulnerabilities are frequently exploited in attacks.