Google patched eight high-severity Chrome flaws on March 23, 2026. Chrome 146.0.7680.164/165 for Windows and macOS fixes three use-after-free vulnerabilities, two heap buffer overflows, two out-of-bounds reads, and an integer overflow. Seven browser components are affected. None of the flaws are flagged as exploited in the wild.
Three use-after-free bugs target Chrome's GPU and identity layers. CVE-2026-4676 hits Dawn, Chromium's native WebGPU implementation and the internal bridge between the browser and GPU hardware. CVE-2026-4678 affects WebGPU directly. CVE-2026-4680 sits in FedCM (Federated Credential Management), the API that handles sign-in through external identity providers. A use-after-free in FedCM is notable because the component manages authentication state.
Heap buffer corruption landed in WebAudio and WebGL. CVE-2026-4673 (WebAudio) carried a $7,000 bounty, the only confirmed payout in the advisory. It was reported on February 18, 2026. CVE-2026-4675 (WebGL) arrived nine days later. In both cases, data is written past the boundary of a heap-allocated buffer.
Two out-of-bounds reads round out the set. CVE-2026-4674 affects CSS parsing. Researcher Syn4pse reported it on February 27. CVE-2026-4677 targets WebAudio and was reported on March 7.
Out-of-bounds reads in CSS parsing can expose adjacent memory contents. An attacker who can leak renderer memory gains information to bypass ASLR and refine a follow-up exploit.
CVE-2026-4679 is an integer overflow in the Fonts component. GF and Un3xploitable of DeadSec reported it on March 11. Font parsing processes complex externally sourced binary data and has historically been a rich attack surface in browsers.
One researcher pattern stands out. The WebGL heap overflow (CVE-2026-4675, February 27) and the Dawn use-after-free (CVE-2026-4676, March 1) share the same pseudonymous reporter, identified only by the hash 86ac1f1587b71893ed2ad792cd7dde32. Both are GPU-adjacent components. Two bugs in four days from one person suggest a targeted audit of Chrome's graphics stack.
Google found CVE-2026-4678 (WebGPU use-after-free) internally on March 10. Internally discovered Chrome flaws often trace to Google's Threat Analysis Group, which tracks commercial spyware vendors. The previous Chrome security update (146.0.7680.153/154, March 18) included CVE-2026-3909, a Skia out-of-bounds write with a confirmed in-the-wild exploit. CISA added it to the Known Exploited Vulnerabilities catalog. No such flag appears on any of the current eight CVEs.
March 2026 has been unusually dense for Chrome security. This is the fifth stable-channel patch since Chrome 146 launched on March 10. Chrome patch management is now effectively continuous.
Five Chrome security updates in 14 days means patch management for Chromium-based browsers is now continuous. There is no safe interval between updates. Enterprise teams running Edge, Brave, Opera, or Vivaldi on the same Chromium engine face the same exposure window.
Google restricts access to bug details until most users have updated. Bounty amounts for seven of the eight CVEs remain listed as "TBD." The advisory notes that Chrome bugs are routinely found using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL. These tools are publicly available. The same fuzzing infrastructure that defenders use is accessible to attackers.
Open Chrome, navigate to Settings, then "About Google Chrome." The browser will download 146.0.7680.165 and prompt a restart. Enterprise administrators should push the update through centralised management without delay. The absence of a "known exploit" flag does not mean the flaws are unexploitable. Heap corruption, use-after-free, and integer wraparound are precisely the bug classes that appear in real-world exploit chains.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
