Update Chrome Now: Google Patches 3 Critical Flaws and 7 High-Risk Vulnerabilities

Ddos March 5, 2026 2 minutes read

Google has released an urgent update for the Chrome Stable channel, addressing 10 security vulnerabilities, including three rated as “Critical” and seven rated as “High” severity. The update is rolling out for Windows, Mac, and Linux users and will be available to the global user base over the coming days and weeks.

The headline of this release is a trio of “Critical” vulnerabilities that could allow remote attackers to perform out-of-bounds memory access or heap corruption through specially crafted HTML pages.

CVE-2026-3536: Integer Overflow in ANGLE – Reported by cinzinga, this vulnerability in the ANGLE graphics engine was awarded a $33,000 bounty.
CVE-2026-3537: Object Lifecycle Issue in PowerVR – This critical flaw, discovered by Zhihua Yao of KunLun Lab, involves heap corruption that could be exploited via a malicious webpage. This researcher was awarded $32,000 for their discovery.
CVE-2026-3538: Integer Overflow in Skia – A critical flaw in the Skia 2D graphics library that could lead to out-of-bounds memory access.

In addition to the critical flaws, seven “High-Severity” vulnerabilities were patched, targeting essential browser sub-components such as the V8 JavaScript engine, WebAssembly, and CSS.

CVE ID	Component	Type of Vulnerability
CVE-2026-3539	DevTools	Object lifecycle issue
CVE-2026-3540	WebAudio	Inappropriate implementation
CVE-2026-3541	CSS	Inappropriate implementation (Out-of-bounds read)
CVE-2026-3542	WebAssembly	Inappropriate implementation (Out-of-bounds access)
CVE-2026-3543	V8	Inappropriate implementation (Out-of-bounds access)
CVE-2026-3544	WebCodecs	Heap buffer overflow (Out-of-bounds write)
CVE-2026-3545	Navigation	Insufficient data validation (Potential sandbox escape)

Several bugs in this update, including the critical CVE-2026-3537, are categorized as Object Lifecycle issues. In complex systems like browsers, thousands of “objects” (blocks of data and instructions) are created and destroyed every second. If an object is “freed” from memory but the browser tries to use it again—or if a “residue object” from a previous page persists into a new one—it creates a hole that attackers can use to corrupt memory or hijack the browser’s logic.

Google has restricted access to specific bug details and links until a majority of users have updated, a standard practice to prevent attackers from “reverse-engineering” the fix to build new exploits.

Action Required:

Update Immediately: Users should check their version by navigating to Help > About Google Chrome.
Verify the Version: Ensure you are running 145.0.7632.159/160 (Windows/Mac) or 145.0.7632.159 (Linux).
Relaunch: Remember that a Chrome update is not fully applied until the browser is relaunched.

Rate this post

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Critical Alert 1 Active Exploit Detected Today

Leave a Reply Cancel reply

Critical Alert 1 Active Exploit Detected Today

Support Our Threat Intelligence

Related posts:

Leave a Reply Cancel reply