Google Chrome Update Fixes 26 Security Flaws, Including RCE Vulnerabilities

Google has released a new Chrome stable update that patches 26 security vulnerabilities, including three critical bugs that could allow remote code execution (RCE) when a victim simply visits a malicious web page or processes crafted web content.

The update is rolling out to Windows and macOS as version 146.0.7680.153/154 and to Linux as 146.0.7680.153.

Patch overview

The March 18, 2026, Stable Channel update delivers 26 security fixes spanning core browser components such as WebGL, V8, WebRTC, Blink, ANGLE, CSS, Skia, PDFium, the Network stack, and the Digital Credentials API.

Google notes that technical details remain restricted until most users receive the patch, reducing the risk of rapid exploit weaponization.

The release focuses heavily on memory safety issues, including multiple out-of-bounds accesses, heap and stack buffer overflows, integer overflows, use-after-free conditions, and type confusion bug classes that are routinely exploitable for sandbox escapes and arbitrary code execution in modern browsers.

Critical RCE‑enabling vulnerabilities

Three critical vulnerabilities stand out as primary RCE enablers due to their location in high‑risk attack surfaces and their memory corruption nature:

• CVE-2026-4439: Out-of-bounds memory access in WebGL, reported by Goodluck on January 15, 2026. Crafted WebGL content can potentially corrupt memory when rendered, opening the door to code execution in the renderer process.
• CVE-2026-4440: Out-of-bounds read and write in WebGL, reported by researcher c6eed09fc8b174b0f3eebedcceb1e792 on February 20, 2026. The combination of read and write primitives makes this particularly valuable for exploit chains that need both info leaks and precise memory manipulation.
• CVE-2026-4441: Use-after-free in the Base library, reported internally by Google on March 3, 2026. A UAF in a low-level core component can often be leveraged to gain powerful primitives that impact multiple subsystems.

Taken together, these flaws represent a significant remote attack surface: an attacker can host malicious WebGL content or embed it in otherwise benign-looking pages to trigger memory corruption during rendering, potentially achieving remote code execution in Chrome’s renderer context and pivoting further via additional vulnerabilities.

High‑severity flaws in core components

Beyond the three critical issues, the update addresses a large cluster of high‑severity vulnerabilities that further strengthen exploit chains:

• WebRTC: Stack buffer overflow (CVE-2026-4444), two use-after-free bugs (CVE-2026-4445, CVE-2026-4446), and a heap buffer overflow (CVE-2026-4463) expose real-time communication features to memory corruption when handling untrusted media or signaling data.
• V8 JavaScript engine: Inappropriate implementations (CVE-2026-4447, CVE-2026-4461), out-of-bounds write (CVE-2026-4450), and type confusion (CVE-2026-4457) provide classic building blocks for JIT-based exploits originating from malicious scripts.
• Graphics and rendering: Heap buffer overflow in CSS (CVE-2026-4442), multiple integer overflows in ANGLE (CVE-2026-4452, CVE-2026-4464) and Dawn (CVE-2026-4453), and an out-of-bounds read in Skia (CVE-2026-4460) all highlight the risk of malformed visual or shader content leading to code execution or data leaks.
• Browser features and services: Use-after-free in Blink (CVE-2026-4449) and Extensions (CVE-2026-4458), heap buffer overflow in PDFium (CVE-2026-4455), use-after-free in the Network stack (CVE-2026-4454), and a use-after-free in the Digital Credentials API (CVE-2026-4456) extend the attack surface to document processing, network handling, extension logic, and emerging identity features.
• WebAudio: Heap buffer overflow (CVE-2026-4443) and out-of-bounds read/write (CVE-2026-4459) allow malicious audio content or APIs to become an exploitation vector.

These bugs are credited to a mix of independent researchers and academic and industry teams, including Syn4pse, heapracer, depthfirst’s Zhenpeng (Leo) Lin, and others.

Google highlights that many of the fixed issues were uncovered using automated tooling such as AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL, underscoring the continued importance of compiler- and fuzzing-based approaches for hardening a large C/C++ codebase.

Details for several bugs remain “TBD,” and full exploitability information is not yet public, but the concentration of memory corruption issues in remotely reachable components suggests real-world exploit potential once patches are reversed and analyzed.

The update is currently rolling out via the Stable Channel, and users on Windows, macOS, and Linux are urged to upgrade to Chrome 146.0.7680.153/154 as soon as possible to mitigate the risk of remote code execution and other compromise scenarios.

Enterprises should prioritize testing and deployment across managed fleets, particularly where WebGL, WebRTC, PDF rendering, and complex web applications are heavily used.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Google Chrome Update Fixes 26 Security Flaws, Including RCE Vulnerabilities appeared first on Cyber Security News.