{"id":11511,"date":"2026-03-21T10:03:49","date_gmt":"2026-03-21T10:03:49","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/03\/21\/chrome-security-update-fixes-26-vulnerabilities-allowing-remote-code-execution\/"},"modified":"2026-03-21T10:03:49","modified_gmt":"2026-03-21T10:03:49","slug":"chrome-security-update-fixes-26-vulnerabilities-allowing-remote-code-execution","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/03\/21\/chrome-security-update-fixes-26-vulnerabilities-allowing-remote-code-execution\/","title":{"rendered":"Chrome Security Update Fixes 26 Vulnerabilities Allowing Remote Code Execution"},"content":{"rendered":"<p>    Chrome Security Update Fixes 26 Vulnerabilities Allowing Remote Code Execution<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Google has released a substantial security update for its Chrome web browser, addressing 26 distinct vulnerabilities that could allow unauthenticated attackers to execute malicious code remotely.<\/p>\n<p>The latest Stable channel update rolls out versions 146.0.7680.153 and 146.0.7680.154 for Windows and macOS, while Linux users will receive version 146.0.7680.153.<\/p>\n<p>This critical patch cycle is designed to remediate <a href=\"https:\/\/cybersecuritynews.com\/multiple-imagemagick-vulnerabilities\/\" target=\"_blank\" rel=\"noreferrer noopener\">multiple severe memory corruption flaws<\/a> that pose significant risks to individual users and enterprise networks alike.<\/p>\n<p>Tailored to standard cybersecurity reporting formats, this breakdown highlights the most severe threats mitigated in this release.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-critical-vulnerabilities-and-rce-risks\"><strong>Critical Vulnerabilities and RCE Risks<\/strong><\/h2>\n<p>The primary threat vector for these vulnerabilities lies in how the browser processes specialized web content.<\/p>\n<p>By exploiting flaws in <a href=\"https:\/\/cybersecuritynews.com\/chrome-security-out-of-bounds-webrtc\/\" target=\"_blank\" rel=\"noreferrer noopener\">components such as WebGL, WebRTC<\/a>, and the V8 JavaScript engine, threat actors can bypass standard browser security sandboxes.<\/p>\n<p>The update specifically addresses three \u201cCritical\u201d severity vulnerabilities, 22 \u201cHigh\u201d severity flaws, and one \u201cMedium\u201d severity issue.<\/p>\n<p>These vulnerabilities primarily <a href=\"https:\/\/cybersecuritynews.com\/cisa-releases-guide-to-reduce-memory-safety-vulnerabilities\/\" target=\"_blank\" rel=\"noreferrer noopener\">consist of classic memory management errors<\/a> such as use-after-free conditions, heap buffer overflows, and out-of-bounds access.<\/p>\n<p>When an attacker successfully triggers one of these conditions, typically by luring a victim to a maliciously crafted webpage, they can write payloads directly into system memory and achieve remote code execution (RCE).<\/p>\n<p>Beyond the critical flaws, the <a href=\"https:\/\/cybersecuritynews.com\/shuyal-stealer-attacking-19-browsers\/\" target=\"_blank\" rel=\"noreferrer noopener\">22 high-severity vulnerabilities affect a wide array of core browser modules<\/a>, including Blink, Network, WebAudio, Dawn, and PDFium.<\/p>\n<p>Notably, a single security researcher operating under the pseudonym \u201cc6eed09fc8b174b0f3eebedcceb1e792\u201d discovered and reported nine high-severity issues, as well as one critical vulnerability.<\/p>\n<figure class=\"wp-block-table is-style-stripes\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th class=\"has-text-align-left\" data-align=\"left\">CVE Identifier<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Severity<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Browser Component<\/th>\n<th class=\"has-text-align-left\" data-align=\"left\">Vulnerability Type<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">CVE-2026-4439<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Critical<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">WebGL<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Out of bounds memory access<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">CVE-2026-4440<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Critical<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">WebGL<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Out of bounds read and write<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">CVE-2026-4441<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Critical<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Base<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Use after free<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">CVE-2026-4442<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">High<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">CSS<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Heap buffer overflow<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">CVE-2026-4443<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">High<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">WebAudio<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Heap buffer overflow<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">CVE-2026-4444<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">High<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">WebRTC<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Stack buffer overflow<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">CVE-2026-4445<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">High<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">WebRTC<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Use after free<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">CVE-2026-4446<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">High<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">WebRTC<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Use after free<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">CVE-2026-4447<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">High<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">V8<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Inappropriate implementation<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">CVE-2026-4448<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">High<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">ANGLE<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Heap buffer overflow<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">CVE-2026-4449<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">High<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Blink<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Use after free<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">CVE-2026-4450<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">High<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">V8<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Out of bounds write<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">CVE-2026-4451<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">High<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Navigation<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Insufficient validation of untrusted input<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">CVE-2026-4452<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">High<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">ANGLE<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Integer overflow<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">CVE-2026-4453<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">High<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Dawn<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Integer overflow<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">CVE-2026-4454<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">High<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Network<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Use after free<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">CVE-2026-4455<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">High<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">PDFium<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Heap buffer overflow<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">CVE-2026-4456<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">High<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Digital Credentials API<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Use after free<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">CVE-2026-4457<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">High<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">V8<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Type Confusion<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">CVE-2026-4458<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">High<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Extensions<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Use after free<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">CVE-2026-4459<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">High<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">WebAudio<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Out of bounds read and write<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">CVE-2026-4460<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">High<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Skia<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Out of bounds read<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">CVE-2026-4461<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">High<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">V8<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Inappropriate implementation<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">CVE-2026-4462<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">High<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Blink<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Out of bounds read<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">CVE-2026-4463<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">High<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">WebRTC<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Heap buffer overflow<\/td>\n<\/tr>\n<tr>\n<td class=\"has-text-align-left\" data-align=\"left\">CVE-2026-4464<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Medium<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">ANGLE<\/td>\n<td class=\"has-text-align-left\" data-align=\"left\">Integer overflow<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>WebGL vulnerabilities are particularly dangerous because they interact directly with the hardware graphics processing unit, potentially allowing attackers to escape software constraints.<\/p>\n<p>Similarly, the V8 JavaScript engine remains a high-value target; <a href=\"https:\/\/cybersecuritynews.com\/chrome-type-confusion-zero-day\/\" target=\"_blank\" rel=\"noreferrer noopener\">vulnerabilities like type confusion (CVE-2026-4457) <\/a>enable attackers to manipulate how the engine handles object types.<\/p>\n<p><a href=\"https:\/\/chromereleases.googleblog.com\/2026\/03\/stable-channel-update-for-desktop_18.html\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google noted that many of these bugs were proactively identified <\/a>during development using advanced memory testing tools such as AddressSanitizer, MemorySanitizer, and libFuzzer.<\/p>\n<p>To mitigate the risk of system compromise, users and enterprise administrators are strongly advised to verify their browser versions immediately.<\/p>\n<p>While Google is rolling out the update progressively over the coming days and weeks, proactive manual updates can prevent exploitation by opportunistic threat actors.<\/p>\n<p>As is standard practice, Google will restrict public access to detailed bug reports and exploit chains until a vast majority of the <a href=\"https:\/\/cybersecuritynews.com\/chrome-security-update-29-vulnerabilities\/\" target=\"_blank\" rel=\"noreferrer noopener\">user base has successfully applied the patch.<\/a><\/p>\n<p>This delayed disclosure strategy successfully prevents threat actors from reverse-engineering the patches to develop zero-day exploits targeting slow-to-update systems.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/chrome-security-update-patches-26-vulnerabilities\/\">Chrome Security Update Fixes 26 Vulnerabilities Allowing Remote Code Execution<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Abinaya<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/chrome-security-update-patches-26-vulnerabilities\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Chrome Security Update Fixes 26 Vulnerabilities Allowing Remote Code Execution Google has released a substantial security update for its Chrome web browser, addressing 26 distinct vulnerabilities that could allow unauthenticated attackers to execute malicious code remotely. The latest Stable channel update rolls out versions 146.0.7680.153 and 146.0.7680.154 for Windows and macOS, while Linux users will [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[768,129,63,2178,416],"tags":[130],"class_list":["post-11511","post","type-post","status-publish","format-standard","hentry","category-chrome","category-cyber-security","category-cyber-security-news","category-security-updates","category-vulnerabilities","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11511"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=11511"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/11511\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=11511"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=11511"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=11511"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}