The Extended Stable channel has been updated to 148.0.7778.254 for Windows and Mac which will roll out over the coming days/weeks.
The Stable channel has been updated to 149.0.7827.102/.103 for Windows and Mac and 149.0.7827.102 for Linux, which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log
Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
This update includes 74 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information
[N/A][516501794] Critical CVE-2026-11628: Use after free in Ozone. Reported by Google on 2026-05-25
[N/A][516674532] Critical CVE-2026-11629: Use after free in Ozone. Reported by Google on 2026-05-26
[N/A][516677924] Critical CVE-2026-11630: Use after free in File Input. Reported by Google on 2026-05-26
[N/A][516691130] Critical CVE-2026-11631: Use after free in Aura. Reported by Google on 2026-05-26
[N/A][516707881] Critical CVE-2026-11632: Use after free in TabStrip. Reported by Google on 2026-05-26
[N/A][516963272] Critical CVE-2026-11633: Use after free in Bluetooth. Reported by Google on 2026-05-27
[N/A][516975148] Critical CVE-2026-11634: Use after free in Gamepad. Reported by Google on 2026-05-27
[N/A][516987814] Critical CVE-2026-11635: Use after free in Bluetooth. Reported by Google on 2026-05-27
[N/A][517023053] Critical CVE-2026-11636: Use after free in Autofill. Reported by Google on 2026-05-27
[N/A][517040438] Critical CVE-2026-11637: Use after free in Views. Reported by Google on 2026-05-27
[N/A][517047197] Critical CVE-2026-11638: Use after free in Printing. Reported by Google on 2026-05-27
[N/A][517227707] Critical CVE-2026-11639: Use after free in Compositing. Reported by Google on 2026-05-27
[N/A][517339758] Critical CVE-2026-11640: Integer overflow in libyuv. Reported by Google on 2026-05-28
[N/A][517418936] Critical CVE-2026-11641: Use after free in Bluetooth. Reported by Google on 2026-05-28
[N/A][517678820] Critical CVE-2026-11642: Use after free in Web Apps. Reported by Google on 2026-05-29
[N/A][518006379] Critical CVE-2026-11643: Use after free in Proxy. Reported by Google on 2026-05-29
[N/A][518043597] Critical CVE-2026-11644: Use after free in Views. Reported by Google on 2026-05-30
[$55000][506689381] High CVE-2026-11645: Out of bounds memory access in V8. Reported by 303f06e3 on 2026-04-27
[$500][517168239] High CVE-2026-11646: Use after free in ViewTransitions. Reported by Quac Tran on 2026-05-27
[N/A][502156940] High CVE-2026-11647: Use after free in Printing. Reported by Google on 2026-04-13
[N/A][506684534] High CVE-2026-11648: Use after free in FullScreen. Reported by Mihnea Nicolau on 2026-04-27
[N/A][511270083] High CVE-2026-11649: Use after free in V8. Reported by Google on 2026-05-08
[N/A][511279942] High CVE-2026-11650: Use after free in V8. Reported by Google on 2026-05-08
[N/A][511736002] High CVE-2026-11651: Use after free in Network. Reported by Google on 2026-05-10
[N/A][513156160] High CVE-2026-11652: Use after free in Extensions. Reported by Google on 2026-05-14
[N/A][513321171] High CVE-2026-11653: Insufficient validation of untrusted input in Extensions. Reported by Google on 2026-05-14
[N/A][513362710] High CVE-2026-11654: Use after free in CameraCapture. Reported by Google on 2026-05-15
[N/A][513396305] High CVE-2026-11655: Integer overflow in Media. Reported by Google on 2026-05-15
[N/A][513424000] High CVE-2026-11656: Use after free in ServiceWorker. Reported by Google on 2026-05-15
[N/A][513465272] High CVE-2026-11657: Use after free in Payments. Reported by Google on 2026-05-15
[N/A][513564337] High CVE-2026-11658: Insufficient validation of untrusted input in Extensions. Reported by Google on 2026-05-15
[N/A][513702971] High CVE-2026-11659: Insufficient validation of untrusted input in UI. Reported by Google on 2026-05-16
[N/A][513731890] High CVE-2026-11660: Insufficient validation of untrusted input in New Tab Page. Reported by Google on 2026-05-16
[N/A][513748868] High CVE-2026-11661: Use after free in Views. Reported by Google on 2026-05-16
[N/A][513773313] High CVE-2026-11662: Type Confusion in Bindings. Reported by Google on 2026-05-16
[N/A][513820666] High CVE-2026-11663: Use after free in Skia. Reported by Google on 2026-05-16
[N/A][513830374] High CVE-2026-11664: Use after free in Payments. Reported by Google on 2026-05-16
[N/A][513948465] High CVE-2026-11665: Out of bounds read in Dawn. Reported by Google on 2026-05-17
[N/A][514009323] High CVE-2026-11666: Insufficient validation of untrusted input in Input. Reported by Google on 2026-05-17
[N/A][514671098] High CVE-2026-11667: Out of bounds read in WebRTC. Reported by Google on 2026-05-19
[N/A][515419790] High CVE-2026-11668: Uninitialized Use in Codecs. Reported by Google on 2026-05-21
[N/A][515429352] High CVE-2026-11669: Integer overflow in Media. Reported by Google on 2026-05-21
[N/A][515469283] High CVE-2026-11670: Use after free in PDF. Reported by Google on 2026-05-21
[N/A][516608438] High CVE-2026-11671: Use after free in Navigation. Reported by Google on 2026-05-26
[N/A][516794471] High CVE-2026-11672: Out of bounds write in GPU. Reported by Google on 2026-05-26
[N/A][516902973] High CVE-2026-11673: Use after free in InterestGroups. Reported by Google on 2026-05-26
[N/A][516910450] High CVE-2026-11674: Use after free in Guest View. Reported by Google on 2026-05-27
[N/A][516915337] High CVE-2026-11675: Insufficient validation of untrusted input in Skia. Reported by Google on 2026-05-27
[N/A][516949298] High CVE-2026-11676: Insufficient validation of untrusted input in Dawn. Reported by Google on 2026-05-27
[N/A][516979551] High CVE-2026-11677: Race in Network. Reported by Google on 2026-05-27
[N/A][516986556] High CVE-2026-11678: Integer overflow in libyuv. Reported by Google on 2026-05-27
[N/A][516997135] High CVE-2026-11679: Use after free in Codecs. Reported by Google on 2026-05-27
[N/A][517004487] High CVE-2026-11680: Use after free in Media. Reported by Google on 2026-05-27
[N/A][517050585] High CVE-2026-11681: Use after free in Ozone. Reported by Google on 2026-05-27
[N/A][517103584] High CVE-2026-11682: Insufficient validation of untrusted input in Views. Reported by Google on 2026-05-27
[N/A][517129549] High CVE-2026-11683: Use after free in WebCodecs. Reported by Google on 2026-05-27
[N/A][517130229] High CVE-2026-11684: Insufficient policy enforcement in Network. Reported by Google on 2026-05-27
[N/A][517183713] High CVE-2026-11685: Insufficient data validation in MediaCapture. Reported by Google on 2026-05-27
[N/A][517247333] High CVE-2026-11686: Insufficient validation of untrusted input in Dawn. Reported by Google on 2026-05-27
[N/A][517303276] High CVE-2026-11687: Use after free in Dawn. Reported by Google on 2026-05-28
[N/A][517309206] High CVE-2026-11688: Object lifecycle issue in SVG. Reported by Google on 2026-05-28
[N/A][517486004] High CVE-2026-11689: Insufficient validation of untrusted input in Passwords. Reported by Google on 2026-05-28
[N/A][517533654] High CVE-2026-11690: Out of bounds read and write in Media. Reported by Google on 2026-05-28
[N/A][517585486] High CVE-2026-11691: Insufficient validation of untrusted input in New Tab Page. Reported by Google on 2026-05-28
[N/A][517607902] High CVE-2026-11692: Use after free in Read Anything. Reported by Google on 2026-05-28
[N/A][517644287] High CVE-2026-11693: Inappropriate implementation in Plugins. Reported by Google on 2026-05-28
[N/A][517705966] High CVE-2026-11694: Use after free in ServiceWorker. Reported by Google on 2026-05-29
[N/A][517762104] High CVE-2026-11695: Inappropriate implementation in Passwords. Reported by Google on 2026-05-29
[N/A][517993381] High CVE-2026-11696: Uninitialized Use in Video. Reported by Google on 2026-05-29
[N/A][518105731] High CVE-2026-11697: Insufficient validation of untrusted input in UI. Reported by Google on 2026-05-30
[N/A][518235412] High CVE-2026-11698: Use after free in Bluetooth. Reported by Google on 2026-05-30
[N/A][518237527] High CVE-2026-11699: Use after free in Bluetooth. Reported by Google on 2026-05-30
[N/A][511732085] Medium CVE-2026-11700: Use after free in Tracing. Reported by Google on 2026-05-10
[N/A][516413817] Medium CVE-2026-11701: Insufficient validation of untrusted input in Guest View. Reported by Google on 2026-05-25
Google is aware that an exploit for CVE-2026-11645 exists in the wild.
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.
Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.
Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
Daniel Yip
Google Chrome
The Extended Stable channel has been updated to 148.0.7778.254 for Windows and Mac which will roll out over the coming days/weeks.
The Chrome team is delighted to announce the promotion of Chrome 149 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks.
Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
This update includes 429 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.
[$97000][498904293] Critical CVE-2026-10881: Out of bounds read and write in ANGLE. Reported by Anonymous on 2026-04-02
[$43000][503420443] Critical CVE-2026-10882: Use after free in Network. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-04-17
[$5000][503768143] Critical CVE-2026-10883: Out of bounds write in ANGLE. Reported by Maher Azzouzi on 2026-04-17
[N/A][503617302] Critical CVE-2026-10884: Use after free in Chromecast. Reported by Google on 2026-04-17
[N/A][504072665] Critical CVE-2026-10885: Use after free in Chrome for iOS. Reported by Google on 2026-04-18
[TBD][505096898] Critical CVE-2026-10886: Use after free in FileSystem. Reported by Andrew Boni on 2026-04-21
[N/A][505204771] Critical CVE-2026-10887: Use after free in Chromoting. Reported by Google on 2026-04-22
[N/A][505815080] Critical CVE-2026-10888: Use after free in Cast Streaming. Reported by Google on 2026-04-23
[N/A][513003797] Critical CVE-2026-10889: Out of bounds read in ANGLE. Reported by Google on 2026-05-14
[N/A][513136593] Critical CVE-2026-10890: Use after free in Cast. Reported by Google on 2026-05-14
[N/A][513160681] Critical CVE-2026-10891: Use after free in GFX. Reported by Google on 2026-05-14
[N/A][513165325] Critical CVE-2026-10892: Out of bounds write in GPU. Reported by Google on 2026-05-14
[N/A][513231432] Critical CVE-2026-10893: Use after free in Chromoting. Reported by Google on 2026-05-14
[N/A][513445101] Critical CVE-2026-10894: Use after free in Printing. Reported by Google on 2026-05-15
[N/A][513454018] Critical CVE-2026-10895: Use after free in Ozone. Reported by Google on 2026-05-15
[N/A][513514692] Critical CVE-2026-10896: Use after free in Chrome for iOS. Reported by Google on 2026-05-15
[N/A][513543143] Critical CVE-2026-10897: Out of bounds write in GPU. Reported by Google on 2026-05-15
[N/A][513946753] Critical CVE-2026-10898: Stack buffer overflow in GPU. Reported by Google on 2026-05-17
[N/A][516653777] Critical CVE-2026-10899: Use after free in Ozone. Reported by Google on 2026-05-26
[N/A][516878683] Critical CVE-2026-10900: Use after free in Passwords. Reported by Google on 2026-05-26
[N/A][516957738] Critical CVE-2026-10901: Use after free in Passwords. Reported by Google on 2026-05-27
[N/A][517046249] Critical CVE-2026-10902: Use after free in Ozone. Reported by Google on 2026-05-27
[$11000][503422316] High CVE-2026-10903: Use after free in WebRTC. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-04-17
[$8000][506855825] High CVE-2026-10904: Inappropriate implementation in V8. Reported by 303f06e3 on 2026-04-27
[$5000][487357841] High CVE-2026-10905: Use after free in Network. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-25
[$3000][503420438] High CVE-2026-10906: Use after free in WebAuthentication. Reported by Weipeng Jiang (@Krace) of VRI on 2026-04-17
[$2000][489071023] High CVE-2026-10907: Out of bounds write in ANGLE. Reported by sweetchip on 2026-03-02
[$2000][505045913] High CVE-2026-10908: Use after free in FullScreen. Reported by Mihnea Nicolau on 2026-04-21
[$1000][508092644] High CVE-2026-10909: Use after free in Dawn. Reported by whiter@xuanyusec on 2026-04-30
[$500][508811477] High CVE-2026-10910: Type Confusion in V8. Reported by Mufeed VH from Winfunc Research (winfunc.com) on 2026-05-02
[N/A][495819067] High CVE-2026-10911: Insufficient validation of untrusted input in Media. Reported by Google on 2026-03-24
[N/A][496614553] High CVE-2026-10912: Insufficient validation of untrusted input in Extensions. Reported by Google on 2026-03-26
[N/A][497450927] High CVE-2026-10913: Use after free in ANGLE. Reported by Google on 2026-03-29
[N/A][497574371] High CVE-2026-10914: Use after free in ANGLE. Reported by Google on 2026-03-30
[N/A][497612174] High CVE-2026-10915: Use after free in Core. Reported by Google on 2026-03-30
[N/A][497643690] High CVE-2026-10916: Insufficient validation of untrusted input in DevTools. Reported by Google on 2026-03-30
[N/A][497929481] High CVE-2026-10917: Insufficient validation of untrusted input in Media. Reported by Google on 2026-03-30
[N/A][498259721] High CVE-2026-10918: Use after free in Viz. Reported by Google on 2026-03-31
[N/A][498872764] High CVE-2026-10919: Use after free in ANGLE. Reported by Google on 2026-04-02
[N/A][498977444] High CVE-2026-10920: Insufficient validation of untrusted input in WebShare. Reported by Google on 2026-04-02
[N/A][499159695] High CVE-2026-10921: Integer overflow in Dawn. Reported by Google on 2026-04-03
[N/A][499164652] High CVE-2026-10922: Insufficient validation of untrusted input in DevTools. Reported by Google on 2026-04-03
[N/A][499423683] High CVE-2026-10923: Use after free in WebAppInstalls. Reported by Google on 2026-04-04
[N/A][500055357] High CVE-2026-10924: Integer overflow in Chromecast. Reported by Google on 2026-04-06
[N/A][500071763] High CVE-2026-10925: Out of bounds write in Skia. Reported by Google on 2026-04-06
[N/A][500075522] High CVE-2026-10926: Use after free in Cast. Reported by Google on 2026-04-06
[N/A][500090141] High CVE-2026-10927: Out of bounds read in Dawn. Reported by Google on 2026-04-06
[N/A][500124367] High CVE-2026-10928: Script injection in Headless. Reported by Google on 2026-04-06
[N/A][500429259] High CVE-2026-10929: Heap buffer overflow in ANGLE. Reported by Google on 2026-04-07
[N/A][500472605] High CVE-2026-10930: Out of bounds read in ANGLE. Reported by Google on 2026-04-07
[TBD][501115599] High CVE-2026-10931: Use after free in FileSystem. Reported by asjidkalam on 2026-04-10
[N/A][501335606] High CVE-2026-10932: Use after free in UI. Reported by Google on 2026-04-10
[N/A][501557633] High CVE-2026-10933: Use after free in Audio. Reported by Google on 2026-04-11
[N/A][501594107] High CVE-2026-10934: Use after free in Autofill. Reported by Google on 2026-04-11
[N/A][501898683] High CVE-2026-10935: Inappropriate implementation in V8. Reported by Google on 2026-04-12
[N/A][502439789] High CVE-2026-10936: Type Confusion in V8. Reported by Google on 2026-04-14
[N/A][502651056] High CVE-2026-10937: Inappropriate implementation in Passwords. Reported by Google on 2026-04-14
[N/A][502681591] High CVE-2026-10938: Insufficient validation of untrusted input in Input. Reported by Google on 2026-04-14
[N/A][503502607] High CVE-2026-10939: Use after free in WebRTC. Reported by Google on 2026-04-17
[N/A][503879873] High CVE-2026-10940: Race in Codecs. Reported by Google on 2026-04-17
[N/A][503958940] High CVE-2026-10941: Out of bounds memory access in Skia. Reported by Google on 2026-04-18
[N/A][504104263] High CVE-2026-10942: Insufficient validation of untrusted input in UI. Reported by Google on 2026-04-18
[TBD][504194151] High CVE-2026-10943: Use after free in WebRTC. Reported by Rayyan Kadar on 2026-04-20
[N/A][504215814] High CVE-2026-10944: Insufficient policy enforcement in Autofill. Reported by Google on 2026-04-19
[N/A][504417768] High CVE-2026-10945: Use after free in PDF. Reported by Google on 2026-04-20
[N/A][504587797] High CVE-2026-10946: Heap buffer overflow in Media. Reported by Google on 2026-04-20
[N/A][504597736] High CVE-2026-10947: Use after free in WebRTC. Reported by Google on 2026-04-20
[N/A][504599749] High CVE-2026-10948: Use after free in WebRTC. Reported by Google on 2026-04-20
[N/A][504644843] High CVE-2026-10949: Heap buffer overflow in Video. Reported by Google on 2026-04-20
[N/A][505123022] High CVE-2026-10950: Insufficient policy enforcement in Autofill. Reported by Google on 2026-04-21
[N/A][505191883] High CVE-2026-10951: Use after free in Autofill. Reported by Google on 2026-04-22
[N/A][505231370] High CVE-2026-10952: Use after free in Chrome for iOS. Reported by Google on 2026-04-22
[N/A][506147564] High CVE-2026-10953: Use after free in Core. Reported by Google on 2026-04-24
[N/A][506150628] High CVE-2026-10954: Use after free in Actor. Reported by Google on 2026-04-24
[N/A][506374676] High CVE-2026-10955: Type Confusion in ANGLE. Reported by Google on 2026-04-25
[N/A][506375731] High CVE-2026-10956: Use after free in MimeHandlerView. Reported by Google on 2026-04-25
[N/A][506377279] High CVE-2026-10957: Use after free in Glic. Reported by Google on 2026-04-25
[N/A][507251069] High CVE-2026-10958: Use after free in Chrome for iOS. Reported by Google on 2026-04-28
[N/A][507258648] High CVE-2026-10959: Use after free in Input. Reported by Google on 2026-04-28
[N/A][507258786] High CVE-2026-10960: Uninitialized Use in Codecs. Reported by Google on 2026-04-28
[N/A][508281950] High CVE-2026-10961: Use after free in Chrome for iOS. Reported by Google on 2026-04-30
[N/A][511006880] High CVE-2026-10962: Type Confusion in Media. Reported by Google on 2026-05-08
[N/A][511218177] High CVE-2026-10963: Integer overflow in V8. Reported by Google on 2026-05-08
[N/A][511228272] High CVE-2026-10964: Integer overflow in V8. Reported by Google on 2026-05-08
[N/A][511290038] High CVE-2026-10965: Integer overflow in DevTools. Reported by Google on 2026-05-08
[N/A][511713779] High CVE-2026-10966: Insufficient validation of untrusted input in Codecs. Reported by Google on 2026-05-10
[N/A][511714900] High CVE-2026-10967: Use after free in SurfaceCapture. Reported by Google on 2026-05-10
[N/A][511758373] High CVE-2026-10968: Insufficient validation of untrusted input in Dawn. Reported by Google on 2026-05-10
[N/A][511765713] High CVE-2026-10969: Insufficient validation of untrusted input in Extensions. Reported by Google on 2026-05-10
[N/A][512772489] High CVE-2026-10970: Insufficient validation of untrusted input in InterestGroups. Reported by Google on 2026-05-13
[N/A][513005991] High CVE-2026-10971: Insufficient validation of untrusted input in Printing. Reported by Google on 2026-05-14
[N/A][513006660] High CVE-2026-10972: Use after free in Ozone. Reported by Google on 2026-05-14
[N/A][513042859] High CVE-2026-10973: Uninitialized Use in Dawn. Reported by Google on 2026-05-14
[N/A][513135862] High CVE-2026-10974: Insufficient validation of untrusted input in ANGLE. Reported by Google on 2026-05-14
[N/A][513154132] High CVE-2026-10975: Use after free in WebRTC. Reported by Google on 2026-05-14
[N/A][513249847] High CVE-2026-10976: Uninitialized Use in Dawn. Reported by Google on 2026-05-14
[N/A][513340227] High CVE-2026-10977: Uninitialized Use in Skia. Reported by Google on 2026-05-14
[N/A][513394258] High CVE-2026-10978: Use after free in Chromoting. Reported by Google on 2026-05-15
[N/A][513468021] High CVE-2026-10979: Out of bounds read in ANGLE. Reported by Google on 2026-05-15
[N/A][513713927] High CVE-2026-10980: Insufficient validation of untrusted input in DevTools. Reported by Google on 2026-05-16
[N/A][513762354] High CVE-2026-10981: Insufficient validation of untrusted input in Codecs. Reported by Google on 2026-05-16
[N/A][513774197] High CVE-2026-10982: Use after free in WebXR. Reported by Google on 2026-05-16
[N/A][513947609] High CVE-2026-10983: Insufficient validation of untrusted input in Dawn. Reported by Google on 2026-05-17
[N/A][514022635] High CVE-2026-10984: Inappropriate implementation in Accessibility. Reported by Google on 2026-05-17
[N/A][514082801] High CVE-2026-10985: Out of bounds read in Skia. Reported by Google on 2026-05-17
[N/A][514744613] High CVE-2026-10986: Integer overflow in Media. Reported by Google on 2026-05-19
[N/A][515431687] High CVE-2026-10987: Integer overflow in V8. Reported by Google on 2026-05-21
[N/A][515465685] High CVE-2026-10988: Use after free in Views. Reported by Google on 2026-05-21
[N/A][516311623] High CVE-2026-10989: Inappropriate implementation in V8. Reported by Google on 2026-05-25
[$4000][506311914] Medium CVE-2026-10990: Use after free in Glic. Reported by Weipeng Jiang (@Krace) of VRI on 2026-04-25
[$3000][503553614] Medium CVE-2026-10991: Use after free in V8. Reported by Alisa Esage (@alisaesage) on 2026-04-17
[$2000][493534964] Medium CVE-2026-10992: Insufficient data validation in Animation. Reported by heapracer (@heapracer) on 2026-03-17
[$2000][504160794] Medium CVE-2026-10993: Heap buffer overflow in Skia. Reported by M. Fauzan Wijaya (Gh05t666nero) on 2026-04-19
[$2000][504820809] Medium CVE-2026-10994: Uninitialized Use in ANGLE. Reported by Mufeed VH from Winfunc Research (winfunc.com) on 2026-04-21
[$2000][505371980] Medium CVE-2026-10995: Heap buffer overflow in TabStrip. Reported by Sven Dysthe (@svn-dys) on 2026-04-22
[TBD][40051700] Medium CVE-2026-10996: Inappropriate implementation in Workers. Reported by Jayateertha Guruprasad on 2024-12-23
[TBD][464217867] Medium CVE-2026-10997: Insufficient policy enforcement in Extensions. Reported by djallalakira@gmail.com on 2025-11-28
[TBD][486536242] Medium CVE-2026-10998: Out of bounds read in Media. Reported by Ameen Basha M K on 2026-02-22
[TBD][489369089] Medium CVE-2026-10999: Out of bounds memory access in ANGLE. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-04
[TBD][492374380] Medium CVE-2026-11000: Use after free in Fonts. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-13
[N/A][493691489] Medium CVE-2026-11001: Incorrect security UI in Payments. Reported by Google on 2026-03-18
[TBD][494740162] Medium CVE-2026-11002: Use after free in Autofill. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-21
[TBD][494823867] Medium CVE-2026-11003: Use after free in WebRTC. Reported by zh1x1an1221 of Ant Group Tianqiong Security Lab on 2026-03-21
[TBD][494823889] Medium CVE-2026-11004: Out of bounds read in ANGLE. Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-03-22
[TBD][495052581] Medium CVE-2026-11005: Out of bounds read in ANGLE. Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-03-22
[N/A][495489174] Medium CVE-2026-11006: Out of bounds read in Dawn. Reported by Google on 2026-03-23
[N/A][495834228] Medium CVE-2026-11007: Insufficient validation of untrusted input in WebView. Reported by Google on 2026-03-24
[N/A][495864099] Medium CVE-2026-11008: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google on 2026-03-24
[N/A][496233132] Medium CVE-2026-11009: Use after free in USB. Reported by Google on 2026-03-25
[TBD][496266444] Medium CVE-2026-11010: Use after free in WebShare. Reported by David Sievers on 2026-03-26
[N/A][496702621] Medium CVE-2026-11011: Insufficient policy enforcement in Password Manager. Reported by Google on 2026-03-26
[N/A][497000161] Medium CVE-2026-11012: Use after free in Serial. Reported by Google on 2026-03-27
[N/A][497056412] Medium CVE-2026-11013: Insufficient validation of untrusted input in Network. Reported by Google on 2026-03-28
[N/A][497058611] Medium CVE-2026-11014: Insufficient policy enforcement in Extensions. Reported by Google on 2026-03-28
[TBD][497183443] Medium CVE-2026-11015: Out of bounds read in WebGPU. Reported by Yuma Takeuchi on 2026-03-29
[N/A][497278395] Medium CVE-2026-11016: Insufficient validation of untrusted input in Network. Reported by Google on 2026-03-28
[N/A][497336872] Medium CVE-2026-11017: Inappropriate implementation in Link Preview. Reported by Google on 2026-03-29
[N/A][497342466] Medium CVE-2026-11018: Insufficient policy enforcement in Actor. Reported by Google on 2026-03-29
[N/A][497344640] Medium CVE-2026-11019: Inappropriate implementation in Payments. Reported by Google on 2026-03-29
[N/A][497440270] Medium CVE-2026-11020: Inappropriate implementation in Extensions. Reported by Google on 2026-03-29
[N/A][497487755] Medium CVE-2026-11021: Insufficient validation of untrusted input in GPU. Reported by Google on 2026-03-29
[N/A][497532918] Medium CVE-2026-11022: Insufficient validation of untrusted input in DevTools. Reported by Google on 2026-03-29
[N/A][497538899] Medium CVE-2026-11023: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google on 2026-03-29
[N/A][497591594] Medium CVE-2026-11024: Stack buffer overflow in Skia. Reported by Google on 2026-03-30
[N/A][497595264] Medium CVE-2026-11025: Insufficient policy enforcement in Navigation. Reported by Google on 2026-03-30
[N/A][497599683] Medium CVE-2026-11026: Insufficient policy enforcement in Extensions. Reported by Google on 2026-03-30
[N/A][497604407] Medium CVE-2026-11027: Insufficient validation of untrusted input in Glic. Reported by Google on 2026-03-30
[N/A][497627277] Medium CVE-2026-11028: Use after free in Media. Reported by Google on 2026-03-30
[N/A][497651688] Medium CVE-2026-11029: Insufficient validation of untrusted input in Drag and Drop. Reported by Google on 2026-03-30
[N/A][497722502] Medium CVE-2026-11030: Use after free in Network. Reported by Google on 2026-03-30
[N/A][497748760] Medium CVE-2026-11031: Insufficient validation of untrusted input in Password Manager. Reported by Google on 2026-03-30
[N/A][497831111] Medium CVE-2026-11032: Insufficient data validation in Password Manager. Reported by Google on 2026-03-30
[N/A][497926664] Medium CVE-2026-11033: Uninitialized Use in WebML. Reported by Google on 2026-03-30
[N/A][497934980] Medium CVE-2026-11034: Insufficient validation of untrusted input in Tab Group Sync. Reported by Google on 2026-03-30
[N/A][497936421] Medium CVE-2026-11035: Insufficient validation of untrusted input in Custom Tabs. Reported by Google on 2026-03-30
[N/A][497964917] Medium CVE-2026-11036: Inappropriate implementation in DOM. Reported by Google on 2026-03-30
[N/A][497971287] Medium CVE-2026-11037: Out of bounds write in Codecs. Reported by Google on 2026-03-31
[N/A][498080391] Medium CVE-2026-11038: Insufficient validation of untrusted input in Subresource Integrity. Reported by Google on 2026-03-31
[N/A][498204112] Medium CVE-2026-11039: Uninitialized Use in Skia. Reported by Google on 2026-03-31
[N/A][498371085] Medium CVE-2026-11040: Use after free in ANGLE. Reported by Google on 2026-04-01
[N/A][498700369] Medium CVE-2026-11041: Insufficient validation of untrusted input in Media. Reported by Google on 2026-04-01
[N/A][498720094] Medium CVE-2026-11042: Use after free in Views. Reported by Google on 2026-04-01
[N/A][498721316] Medium CVE-2026-11043: Out of bounds write in ANGLE. Reported by Google on 2026-04-01
[N/A][498724803] Medium CVE-2026-11044: Integer overflow in ANGLE. Reported by Google on 2026-04-01
[N/A][498727111] Medium CVE-2026-11045: Insufficient validation of untrusted input in GPU. Reported by Google on 2026-04-01
[N/A][498728857] Medium CVE-2026-11046: Insufficient validation of untrusted input in Media. Reported by Google on 2026-04-01
[N/A][498768132] Medium CVE-2026-11047: Insufficient validation of untrusted input in Base. Reported by Google on 2026-04-02
[N/A][498808432] Medium CVE-2026-11048: Inappropriate implementation in Extensions. Reported by Google on 2026-04-02
[N/A][498815068] Medium CVE-2026-11049: Use after free in Password Manager. Reported by Google on 2026-04-02
[N/A][498818402] Medium CVE-2026-11050: Use after free in V8. Reported by Google on 2026-04-02
[TBD][498828605] Medium CVE-2026-11051: Out of bounds read in ANGLE. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-04-02
[N/A][498834967] Medium CVE-2026-11052: Type Confusion in GPU. Reported by Google on 2026-04-02
[N/A][498841456] Medium CVE-2026-11053: VULNERABILITY in WebRTC. Reported by Google on 2026-04-02
[N/A][498845284] Medium CVE-2026-11054: Use after free in WebRTC. Reported by Google on 2026-04-02
[N/A][498881735] Medium CVE-2026-11055: Use after free in ANGLE. Reported by Google on 2026-04-02
[N/A][498887785] Medium CVE-2026-11056: Insufficient validation of untrusted input in SiteIsolation. Reported by Google on 2026-04-02
[N/A][498951946] Medium CVE-2026-11057: Uninitialized Use in Skia. Reported by Google on 2026-04-02
[N/A][498986406] Medium CVE-2026-11058: Integer overflow in CredentialProvider. Reported by Google on 2026-04-02
[N/A][498991983] Medium CVE-2026-11059: Use after free in Blink. Reported by Google on 2026-04-02
[N/A][499018355] Medium CVE-2026-11060: Use after free in Media. Reported by Google on 2026-04-02
[N/A][499031961] Medium CVE-2026-11061: Out of bounds read in ANGLE. Reported by Google on 2026-04-02
[N/A][499033012] Medium CVE-2026-11062: Insufficient policy enforcement in Extensions. Reported by Google on 2026-04-02
[N/A][499051067] Medium CVE-2026-11063: Insufficient validation of untrusted input in WebNN. Reported by Google on 2026-04-02
[N/A][499075743] Medium CVE-2026-11064: Uninitialized Use in GPU. Reported by Google on 2026-04-02
[N/A][499093536] Medium CVE-2026-11065: Use after free in ANGLE. Reported by Google on 2026-04-03
[N/A][499124128] Medium CVE-2026-11066: Insufficient validation of untrusted input in ANGLE. Reported by Google on 2026-04-03
[N/A][499140183] Medium CVE-2026-11067: Uninitialized Use in Dawn. Reported by Google on 2026-04-03
[N/A][499194333] Medium CVE-2026-11068: Use after free in WebSockets. Reported by Google on 2026-04-03
[N/A][499213367] Medium CVE-2026-11069: Insufficient validation of untrusted input in Cast. Reported by Google on 2026-04-03
[N/A][499225384] Medium CVE-2026-11070: Insufficient validation of untrusted input in Chromoting. Reported by Google on 2026-04-03
[N/A][499227659] Medium CVE-2026-11071: Use after free in Base. Reported by Google on 2026-04-03
[N/A][499238195] Medium CVE-2026-11072: Use after free in WebView. Reported by Google on 2026-04-03
[N/A][499365904] Medium CVE-2026-11073: Use after free in WebGL. Reported by Google on 2026-04-03
[TBD][499587071] Medium CVE-2026-11074: Use after free in WebRTC. Reported by boboliverfrancishoward@gmail.com on 2026-04-05
[TBD][499659070] Medium CVE-2026-11075: Out of bounds read in V8. Reported by JunYoung Park(@candymate) of KAIST Hacking Lab on 2026-04-06
[N/A][499784386] Medium CVE-2026-11076: Type Confusion in CSS. Reported by Google on 2026-04-05
[TBD][499908918] Medium CVE-2026-11077: Out of bounds read in Dawn. Reported by Anonymous on 2026-04-06
[TBD][499917177] Medium CVE-2026-11078: Insufficient validation of untrusted input in FileSystem. Reported by Eran Rom of Palo Alto Networks on 2026-04-06
[N/A][500028989] Medium CVE-2026-11079: Insufficient validation of untrusted input in Codecs. Reported by Google on 2026-04-06
[N/A][500032538] Medium CVE-2026-11080: Use after free in WebView. Reported by Google on 2026-04-06
[N/A][500076131] Medium CVE-2026-11081: Policy bypass in Canvas. Reported by Google on 2026-04-06
[N/A][500079715] Medium CVE-2026-11082: Use after free in GPU. Reported by Google on 2026-04-06
[N/A][500095743] Medium CVE-2026-11083: Inappropriate implementation in Password Manager. Reported by Google on 2026-04-06
[N/A][500124500] Medium CVE-2026-11084: Inappropriate implementation in Password Manager. Reported by Google on 2026-04-06
[N/A][500132379] Medium CVE-2026-11085: Integer overflow in GPU. Reported by Google on 2026-04-06
[N/A][500140111] Medium CVE-2026-11086: Insufficient validation of untrusted input in Dawn. Reported by Google on 2026-04-07
[N/A][500140149] Medium CVE-2026-11087: Uninitialized Use in ANGLE. Reported by Google on 2026-04-07
[N/A][500144879] Medium CVE-2026-11088: Integer overflow in ANGLE. Reported by Google on 2026-04-07
[N/A][500154880] Medium CVE-2026-11089: Uninitialized Use in Media. Reported by Google on 2026-04-07
[N/A][500161302] Medium CVE-2026-11090: Uninitialized Use in ANGLE. Reported by Google on 2026-04-07
[N/A][500162791] Medium CVE-2026-11091: Inappropriate implementation in Dawn. Reported by Google on 2026-04-07
[N/A][500170887] Medium CVE-2026-11092: Insufficient policy enforcement in DevTools. Reported by Google on 2026-04-07
[N/A][500172365] Medium CVE-2026-11093: Insufficient validation of untrusted input in Printing. Reported by Google on 2026-04-07
[N/A][500174874] Medium CVE-2026-11094: Use after free in Codecs. Reported by Google on 2026-04-07
[N/A][500293394] Medium CVE-2026-11095: Insufficient validation of untrusted input in Codecs. Reported by Google on 2026-04-07
[N/A][500296311] Medium CVE-2026-11096: Out of bounds read in WebRTC. Reported by Google on 2026-04-07
[N/A][500311718] Medium CVE-2026-11097: Inappropriate implementation in WebView. Reported by Google on 2026-04-07
[N/A][500315455] Medium CVE-2026-11098: Insufficient validation of untrusted input in GPU. Reported by Google on 2026-04-07
[N/A][500414865] Medium CVE-2026-11099: Vulnerability in Skia. Reported by Google on 2026-04-07
[N/A][500416901] Medium CVE-2026-11100: Use after free in File Input. Reported by Google on 2026-04-07
[N/A][500443031] Medium CVE-2026-11101: Uninitialized Use in Dawn. Reported by Google on 2026-04-07
[N/A][500468338] Medium CVE-2026-11102: Inappropriate implementation in Isolated Web Apps. Reported by Google on 2026-04-07
[N/A][500483038] Medium CVE-2026-11103: Inappropriate implementation in Installer. Reported by Google on 2026-04-07
[N/A][500501226] Medium CVE-2026-11104: Uninitialized Use in ANGLE. Reported by Google on 2026-04-08
[N/A][500505339] Medium CVE-2026-11105: Insufficient validation of untrusted input in WebUI. Reported by Google on 2026-04-08
[N/A][500508725] Medium CVE-2026-11106: Inappropriate implementation in Media. Reported by Google on 2026-04-08
[N/A][500510384] Medium CVE-2026-11107: Inappropriate implementation in Downloads. Reported by Google on 2026-04-08
[N/A][500517053] Medium CVE-2026-11108: Inappropriate implementation in NFC. Reported by Google on 2026-04-08
[N/A][500524833] Medium CVE-2026-11109: Uninitialized Use in ANGLE. Reported by Google on 2026-04-08
[N/A][500528864] Medium CVE-2026-11110: Uninitialized Use in ANGLE. Reported by Google on 2026-04-08
[N/A][500530720] Medium CVE-2026-11111: Out of bounds read in ANGLE. Reported by Google on 2026-04-08
[N/A][500541413] Medium CVE-2026-11112: Insufficient validation of untrusted input in Chromoting. Reported by Google on 2026-04-08
[N/A][500560764] Medium CVE-2026-11113: Insufficient validation of untrusted input in ANGLE. Reported by Google on 2026-04-08
[N/A][501360342] Medium CVE-2026-11114: Use after free in Device Trust. Reported by Google on 2026-04-10
[N/A][501370283] Medium CVE-2026-11115: Use after free in Updater. Reported by Google on 2026-04-10
[N/A][501376612] Medium CVE-2026-11116: Use after free in Chromoting. Reported by Google on 2026-04-10
[N/A][501403820] Medium CVE-2026-11117: Use after free in Views. Reported by Google on 2026-04-10
[N/A][501424047] Medium CVE-2026-11118: Use after free in WebRTC. Reported by Google on 2026-04-10
[N/A][501461853] Medium CVE-2026-11119: Insufficient validation of untrusted input in GPU. Reported by Google on 2026-04-10
[N/A][501467566] Medium CVE-2026-11120: Insufficient validation of untrusted input in Enterprise Reporting. Reported by Google on 2026-04-10
[N/A][501483855] Medium CVE-2026-11121: Insufficient validation of untrusted input in Skia. Reported by Google on 2026-04-10
[N/A][501485453] Medium CVE-2026-11122: Inappropriate implementation in Keyboard. Reported by Google on 2026-04-10
[N/A][501505198] Medium CVE-2026-11123: Uninitialized Use in ANGLE. Reported by Google on 2026-04-10
[N/A][501511299] Medium CVE-2026-11124: Heap buffer overflow in Skia. Reported by Google on 2026-04-10
[N/A][501517520] Medium CVE-2026-11125: Use after free in Compositing. Reported by Google on 2026-04-10
[N/A][501528031] Medium CVE-2026-11126: Insufficient validation of untrusted input in DevTools. Reported by Google on 2026-04-10
[N/A][501535295] Medium CVE-2026-11127: Inappropriate implementation in WebAPKs. Reported by Google on 2026-04-10
[N/A][501541341] Medium CVE-2026-11128: Insufficient validation of untrusted input in Web Share. Reported by Google on 2026-04-10
[N/A][501541962] Medium CVE-2026-11129: Inappropriate implementation in Extensions. Reported by Google on 2026-04-10
[N/A][501546443] Medium CVE-2026-11130: Use after free in Media. Reported by Google on 2026-04-11
[N/A][501561644] Medium CVE-2026-11131: Use after free in Autofill. Reported by Google on 2026-04-11
[N/A][501597365] Medium CVE-2026-11132: Policy bypass in Paint. Reported by Google on 2026-04-11
[N/A][501606085] Medium CVE-2026-11133: Insufficient policy enforcement in Paint. Reported by Google on 2026-04-11
[N/A][501640084] Medium CVE-2026-11134: Insufficient data validation in Media. Reported by Google on 2026-04-11
[N/A][501644835] Medium CVE-2026-11135: Insufficient policy enforcement in Autofill. Reported by Google on 2026-04-11
[TBD][501646327] Medium CVE-2026-11136: Use after free in Canvas. Reported by Jungwoo Lee (@physicube) and Wongi Lee (@_qwerty_po) on 2026-04-11
[N/A][501647943] Medium CVE-2026-11137: Uninitialized Use in ANGLE. Reported by Google on 2026-04-11
[N/A][501650354] Medium CVE-2026-11138: Uninitialized Use in ANGLE. Reported by Google on 2026-04-11
[N/A][501650594] Medium CVE-2026-11139: Policy bypass in Paint. Reported by Google on 2026-04-11
[N/A][501659253] Medium CVE-2026-11140: Insufficient validation of untrusted input in Chromecast. Reported by Google on 2026-04-11
[N/A][501667839] Medium CVE-2026-11141: Uninitialized Use in Audio. Reported by Google on 2026-04-11
[N/A][501668745] Medium CVE-2026-11142: Policy bypass in Paint. Reported by Google on 2026-04-11
[N/A][501674219] Medium CVE-2026-11143: Heap buffer overflow in Extensions. Reported by Google on 2026-04-11
[N/A][501676175] Medium CVE-2026-11144: Use after free in Media. Reported by Google on 2026-04-11
[N/A][501683745] Medium CVE-2026-11145: Race in Geolocation. Reported by Google on 2026-04-11
[N/A][501709220] Medium CVE-2026-11146: Insufficient validation of untrusted input in Chromoting. Reported by Google on 2026-04-11
[N/A][501731689] Medium CVE-2026-11147: Use after free in WebML. Reported by Google on 2026-04-11
[N/A][501738451] Medium CVE-2026-11148: Inappropriate implementation in Payments. Reported by Google on 2026-04-11
[N/A][501739206] Medium CVE-2026-11149: Insufficient validation of untrusted input in Extensions. Reported by Google on 2026-04-11
[N/A][501740299] Medium CVE-2026-11150: Inappropriate implementation in XML. Reported by Google on 2026-04-11
[N/A][501740323] Medium CVE-2026-11151: Insufficient validation of untrusted input in Password Manager. Reported by Google on 2026-04-11
[N/A][501762953] Medium CVE-2026-11152: Object lifecycle issue in Dawn. Reported by Google on 2026-04-11
[N/A][501779840] Medium CVE-2026-11153: Side-channel information leakage in Forms. Reported by Google on 2026-04-12
[N/A][501789156] Medium CVE-2026-11154: Use after free in Dawn. Reported by Google on 2026-04-12
[N/A][501801823] Medium CVE-2026-11155: Insufficient policy enforcement in CSS. Reported by Google on 2026-04-12
[N/A][501810226] Medium CVE-2026-11156: Inappropriate implementation in CSS. Reported by Google on 2026-04-12
[N/A][501823385] Medium CVE-2026-11157: Script injection in Accessibility. Reported by Google on 2026-04-12
[N/A][501844153] Medium CVE-2026-11158: Insufficient validation of untrusted input in Downloads. Reported by Google on 2026-04-12
[N/A][501861921] Medium CVE-2026-11159: Uninitialized Use in Skia. Reported by Google on 2026-04-12
[N/A][501862016] Medium CVE-2026-11160: Out of bounds read in Input. Reported by Google on 2026-04-12
[N/A][501920294] Medium CVE-2026-11161: Insufficient data validation in DataTransfer. Reported by Google on 2026-04-12
[N/A][502035074] Medium CVE-2026-11162: Insufficient policy enforcement in CSS. Reported by Google on 2026-04-13
[N/A][502072755] Medium CVE-2026-11163: Use after free in Messages. Reported by Google on 2026-04-13
[N/A][502089411] Medium CVE-2026-11164: Use after free in Blink. Reported by Google on 2026-04-13
[N/A][502099949] Medium CVE-2026-11165: Use after free in WebMIDI. Reported by Google on 2026-04-13
[N/A][502118936] Medium CVE-2026-11166: Inappropriate implementation in SVG. Reported by Google on 2026-04-13
[N/A][502228856] Medium CVE-2026-11167: Inappropriate implementation in WebView. Reported by Google on 2026-04-13
[N/A][502256049] Medium CVE-2026-11168: Insufficient policy enforcement in Extensions. Reported by Google on 2026-04-13
[N/A][502285273] Medium CVE-2026-11169: Inappropriate implementation in XML. Reported by Google on 2026-04-13
[N/A][502322596] Medium CVE-2026-11170: Inappropriate implementation in Chromoting. Reported by Google on 2026-04-13
[N/A][502322843] Medium CVE-2026-11171: Integer overflow in Blink. Reported by Google on 2026-04-13
[TBD][502328201] Medium CVE-2026-11172: Incorrect security UI in Contact Picker. Reported by mochazril.ti@gmail.com on 2026-04-14
[N/A][502337304] Medium CVE-2026-11173: Out of bounds write in V8. Reported by Google on 2026-04-14
[N/A][502348223] Medium CVE-2026-11174: Insufficient policy enforcement in Site Isolation. Reported by Google on 2026-04-14
[N/A][502368088] Medium CVE-2026-11175: Incorrect security UI in Messages. Reported by Google on 2026-04-14
[N/A][502371717] Medium CVE-2026-11176: Inappropriate implementation in Media. Reported by Google on 2026-04-14
[TBD][502449864] Medium CVE-2026-11177: Use after free in Omnibox. Reported by gevakun on 2026-04-14
[N/A][502501810] Medium CVE-2026-11178: Policy bypass in WebView. Reported by Google on 2026-04-14
[N/A][502615170] Medium CVE-2026-11179: Inappropriate implementation in ORB. Reported by Google on 2026-04-14
[N/A][502631225] Medium CVE-2026-11180: Policy bypass in SVG. Reported by Google on 2026-04-14
[N/A][502633299] Medium CVE-2026-11181: Inappropriate implementation in Media Session. Reported by Google on 2026-04-14
[N/A][502651014] Medium CVE-2026-11182: Inappropriate implementation in SVG. Reported by Google on 2026-04-14
[N/A][502768780] Medium CVE-2026-11183: Out of bounds read in GWP-ASan. Reported by Google on 2026-04-15
[N/A][502777516] Medium CVE-2026-11184: Insufficient policy enforcement in Actor. Reported by Google on 2026-04-15
[N/A][502784366] Medium CVE-2026-11185: Use after free in V8. Reported by Google on 2026-04-15
[N/A][502805170] Medium CVE-2026-11186: Inappropriate implementation in CSS. Reported by Google on 2026-04-15
[N/A][502819675] Medium CVE-2026-11187: Insufficient policy enforcement in Glic. Reported by Google on 2026-04-15
[N/A][502959826] Medium CVE-2026-11188: Use after free in USB. Reported by Google on 2026-04-15
[TBD][503197481] Medium CVE-2026-11189: Insufficient validation of untrusted input in DevTools. Reported by lebr0nli of National Yang Ming Chiao Tung University, Dept. of CS, Security and Systems Lab on 2026-04-16
[N/A][503375371] Medium CVE-2026-11190: Insufficient policy enforcement in Extensions. Reported by Google on 2026-04-16
[N/A][503392431] Medium CVE-2026-11191: Out of bounds memory access in ANGLE. Reported by Google on 2026-04-16
[N/A][503490678] Medium CVE-2026-11192: Insufficient validation of untrusted input in Password Manager. Reported by Google on 2026-04-17
[N/A][503642586] Medium CVE-2026-11193: Insufficient policy enforcement in Password Manager. Reported by Google on 2026-04-17
[N/A][503719488] Medium CVE-2026-11194: Inappropriate implementation in Network. Reported by Google on 2026-04-17
[N/A][503865896] Medium CVE-2026-11195: Inappropriate implementation in MHTML. Reported by Google on 2026-04-17
[N/A][503879106] Medium CVE-2026-11196: Type Confusion in XML. Reported by Google on 2026-04-17
[TBD][504073872] Medium CVE-2026-11197: Insufficient policy enforcement in Workers. Reported by VEZEKA on 2026-04-19
[N/A][504395300] Medium CVE-2026-11198: Insufficient validation of untrusted input in Codecs. Reported by Google on 2026-04-20
[N/A][504572664] Medium CVE-2026-11199: Insufficient validation of untrusted input in WebRTC. Reported by Google on 2026-04-20
[N/A][504579798] Medium CVE-2026-11200: Inappropriate implementation in WebRTC. Reported by Google on 2026-04-20
[TBD][505068950] Medium CVE-2026-11201: Use after free in ServiceWorker. Reported by Weipeng Jiang (@Krace) of VRI on 2026-04-22
[N/A][505144022] Medium CVE-2026-11202: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google on 2026-04-22
[N/A][505192638] Medium CVE-2026-11203: Policy bypass in GPU. Reported by Google on 2026-04-22
[N/A][505200733] Medium CVE-2026-11204: Inappropriate implementation in Signin. Reported by Google on 2026-04-22
[N/A][505290253] Medium CVE-2026-11205: Insufficient validation of untrusted input in Chrome for iOS. Reported by Google on 2026-04-22
[TBD][505427216] Medium CVE-2026-11206: Policy bypass in ServiceWorker. Reported by David Bors, Catalin Iovita on 2026-04-23
[N/A][506127858] Medium CVE-2026-11207: Insufficient validation of untrusted input in Autofill. Reported by Google on 2026-04-24
[N/A][506387278] Medium CVE-2026-11208: Use after free in Codecs. Reported by Google on 2026-04-25
[N/A][506391032] Medium CVE-2026-11209: Insufficient policy enforcement in Passwords. Reported by Google on 2026-04-25
[N/A][506473226] Medium CVE-2026-11210: Insufficient policy enforcement in Safe Browsing. Reported by Google on 2026-04-25
[N/A][506629455] Medium CVE-2026-11211: Integer overflow in V8. Reported by Google on 2026-04-26
[N/A][507216833] Medium CVE-2026-11212: Insufficient policy enforcement in DevTools. Reported by Google on 2026-04-28
[N/A][507382702] Medium CVE-2026-11213: Insufficient validation of untrusted input in Reading Mode. Reported by Google on 2026-04-28
[N/A][508257850] Medium CVE-2026-11214: Inappropriate implementation in Chrome for iOS. Reported by Google on 2026-04-30
[N/A][513446116] Medium CVE-2026-11215: Inappropriate implementation in Cronet. Reported by Google on 2026-05-15
[$3000][474583539] Low CVE-2026-11216: Incorrect security UI in File Input. Reported by Azza Tegar Naufal Ataullah on 2026-01-10
[$3000][487564032] Low CVE-2026-11217: Insufficient policy enforcement in Fenced Frames. Reported by Tianyi Hu on 2026-02-25
[$2000][476862276] Low CVE-2026-11218: Inappropriate implementation in PlatformIntegration. Reported by Han Liu (Xi’an Jiaotong University, School of Cyber Science and Engineering)
on 2026-01-19
[$2000][480074849] Low CVE-2026-11219: Insufficient data validation in Navigation. Reported by Bharat (mrnoob) on 2026-01-30
[$2000][487300831] Low CVE-2026-11220: Insufficient validation of untrusted input in Navigation. Reported by Tianyi Hu on 2026-02-24
[$1500][492211919] Low CVE-2026-11221: Insufficient validation of untrusted input in PointerLock. Reported by mihalis.haatainen@bountyy.fi on 2026-03-12
[$1000][458442542] Low CVE-2026-11222: Incorrect security UI in Tab Strip. Reported by Hafiizh on 2025-11-07
[$1000][494800494] Low CVE-2026-11223: Insufficient validation of untrusted input in Network. Reported by Tianyi Hu on 2026-03-21
[$500][502461760] Low CVE-2026-11224: Use after free in Chromoting. Reported by David Bors, Catalin Iovita on 2026-04-14
[$500][503346647] Low CVE-2026-11225: Incorrect security UI in WebUI. Reported by Tareq Ahamed - itztrq on 2026-04-16
[N/A][385662278] Low CVE-2026-11226: Insufficient policy enforcement in PreviewTab. Reported by Google on 2020-03-05
[TBD][448421954] Low CVE-2026-11227: Incorrect security UI in Tab Hover Cards. Reported by Hafiizh on 2025-10-01
[TBD][454484864] Low CVE-2026-11228: Incorrect security UI in File Input. Reported by Umar Farooq on 2025-10-23
[TBD][482713603] Low CVE-2026-11229: Insufficient policy enforcement in Enterprise. Reported by Povcfe of Tencent Security Xuanwu Lab on 2026-02-08
[N/A][493225428] Low CVE-2026-11230: Use after free in Extensions. Reported by Google on 2026-03-16
[N/A][495840862] Low CVE-2026-11231: Inappropriate implementation in Safe Browsing. Reported by Google on 2026-03-24
[N/A][495981782] Low CVE-2026-11232: Inappropriate implementation in TabGroups. Reported by Google on 2026-03-25
[N/A][496088449] Low CVE-2026-11233: Insufficient validation of untrusted input in FoldableAPIs. Reported by Google on 2026-03-25
[N/A][496095145] Low CVE-2026-11234: Insufficient policy enforcement in FoldableAPIs. Reported by Google on 2026-03-25
[N/A][496419374] Low CVE-2026-11235: Insufficient validation of untrusted input in Compositing. Reported by Google on 2026-03-26
[N/A][496427030] Low CVE-2026-11236: Insufficient policy enforcement in Web Bluetooth. Reported by Google on 2026-03-26
[N/A][496617698] Low CVE-2026-11237: Insufficient validation of untrusted input in Media. Reported by Google on 2026-03-26
[N/A][496705691] Low CVE-2026-11238: Inappropriate implementation in DevTools. Reported by Google on 2026-03-26
[N/A][497025738] Low CVE-2026-11239: Insufficient validation of untrusted input in Extensions. Reported by Google on 2026-03-27
[N/A][497030032] Low CVE-2026-11240: Insufficient validation of untrusted input in Loader. Reported by Google on 2026-03-27
[N/A][497203741] Low CVE-2026-11241: Insufficient validation of untrusted input in Cast. Reported by Google on 2026-03-28
[N/A][497385823] Low CVE-2026-11242: Insufficient validation of untrusted input in Plugins. Reported by Google on 2026-03-29
[N/A][497394061] Low CVE-2026-11243: Incorrect security UI in Downloads. Reported by Google on 2026-03-29
[N/A][497609145] Low CVE-2026-11244: Insufficient validation of untrusted input in WebAuthentication. Reported by Google on 2026-03-30
[N/A][497610654] Low CVE-2026-11245: Inappropriate implementation in Payments. Reported by Google on 2026-03-30
[N/A][497660733] Low CVE-2026-11246: Insufficient validation of untrusted input in IndexedDB. Reported by Google on 2026-03-30
[N/A][497865734] Low CVE-2026-11247: Insufficient policy enforcement in CustomTabs. Reported by Google on 2026-03-30
[N/A][497946941] Low CVE-2026-11248: Policy bypass in Google Lens. Reported by Google on 2026-03-30
[N/A][497989379] Low CVE-2026-11249: Use after free in Network. Reported by Google on 2026-03-31
[N/A][498281224] Low CVE-2026-11250: Inappropriate implementation in DevTools. Reported by Google on 2026-03-31
[N/A][498301853] Low CVE-2026-11251: Insufficient validation of untrusted input in Password Manager. Reported by Google on 2026-03-31
[N/A][498373018] Low CVE-2026-11252: Policy bypass in Content Settings. Reported by Google on 2026-04-01
[N/A][498397912] Low CVE-2026-11253: Race in Permissions. Reported by Google on 2026-04-01
[N/A][498405554] Low CVE-2026-11254: Inappropriate implementation in Permissions. Reported by Google on 2026-04-01
[N/A][498417152] Low CVE-2026-11255: Insufficient validation of untrusted input in Storage Access API. Reported by Google on 2026-04-01
[N/A][498856565] Low CVE-2026-11256: Out of bounds read in GPU. Reported by Google on 2026-04-02
[N/A][499051898] Low CVE-2026-11257: Inappropriate implementation in Browser. Reported by Google on 2026-04-02
[N/A][499078161] Low CVE-2026-11258: Inappropriate implementation in File System Access. Reported by Google on 2026-04-02
[N/A][499215943] Low CVE-2026-11259: Insufficient validation of untrusted input in Cast. Reported by Google on 2026-04-03
[N/A][499257860] Low CVE-2026-11260: Policy bypass in Permissions. Reported by Google on 2026-04-03
[N/A][499262832] Low CVE-2026-11261: Insufficient validation of untrusted input in PDF. Reported by Google on 2026-04-03
[N/A][499386363] Low CVE-2026-11262: Use after free in TabStrip. Reported by Google on 2026-04-03
[N/A][500044225] Low CVE-2026-11263: Insufficient policy enforcement in WebAuthentication. Reported by Google on 2026-04-06
[N/A][500099106] Low CVE-2026-11264: Policy bypass in Content Security Policy. Reported by Google on 2026-04-06
[N/A][500262869] Low CVE-2026-11265: Insufficient data validation in Autofill. Reported by Google on 2026-04-07
[N/A][500521311] Low CVE-2026-11266: Policy bypass in SafeBrowsing. Reported by Google on 2026-04-08
[N/A][500528267] Low CVE-2026-11267: Insufficient policy enforcement in Extensions. Reported by Google on 2026-04-08
[N/A][500528706] Low CVE-2026-11268: Uninitialized Use in ANGLE. Reported by Google on 2026-04-08
[N/A][500551122] Low CVE-2026-11269: Inappropriate implementation in Extensions. Reported by Google on 2026-04-08
[N/A][501504245] Low CVE-2026-11270: Inappropriate implementation in UI. Reported by Google on 2026-04-10
[N/A][501685207] Low CVE-2026-11271: Incorrect security UI in Passwords. Reported by Google on 2026-04-11
[N/A][501747321] Low CVE-2026-11272: Insufficient validation of untrusted input in Reading List. Reported by Google on 2026-04-11
[N/A][501757688] Low CVE-2026-11273: Insufficient validation of untrusted input in Omnibox. Reported by Google on 2026-04-11
[N/A][501760514] Low CVE-2026-11274: Inappropriate implementation in DOM Distiller. Reported by Google on 2026-04-11
[N/A][501763121] Low CVE-2026-11275: Insufficient policy enforcement in Page Info. Reported by Google on 2026-04-11
[N/A][501780338] Low CVE-2026-11276: Inappropriate implementation in Cast. Reported by Google on 2026-04-12
[N/A][501839664] Low CVE-2026-11277: Insufficient policy enforcement in Chrome for iOS. Reported by Google on 2026-04-12
[N/A][501859865] Low CVE-2026-11278: Inappropriate implementation in CustomTabs. Reported by Google on 2026-04-12
[N/A][501878477] Low CVE-2026-11279: Out of bounds read in DevTools. Reported by Google on 2026-04-12
[N/A][501892820] Low CVE-2026-11280: Insufficient validation of untrusted input in Signin. Reported by Google on 2026-04-12
[N/A][501900366] Low CVE-2026-11281: Integer overflow in Chromoting. Reported by Google on 2026-04-12
[N/A][502023400] Low CVE-2026-11282: Policy bypass in Sandbox. Reported by Google on 2026-04-13
[N/A][502069297] Low CVE-2026-11283: Policy bypass in Shortcuts. Reported by Google on 2026-04-13
[N/A][502073069] Low CVE-2026-11284: Side-channel information leakage in PerformanceAPIs. Reported by Google on 2026-04-13
[N/A][502090914] Low CVE-2026-11285: Insufficient policy enforcement in Chrome for iOS. Reported by Google on 2026-04-13
[N/A][502110170] Low CVE-2026-11286: Insufficient validation of untrusted input in Wallet. Reported by Google on 2026-04-13
[N/A][502173136] Low CVE-2026-11287: Insufficient validation of untrusted input in Navigation. Reported by Google on 2026-04-13
[N/A][502231588] Low CVE-2026-11288: Policy bypass in CSS. Reported by Google on 2026-04-13
[N/A][502239897] Low CVE-2026-11289: Side-channel information leakage in Paint. Reported by Google on 2026-04-13
[N/A][502264647] Low CVE-2026-11290: Integer overflow in WebView. Reported by Google on 2026-04-13
[N/A][502346855] Low CVE-2026-11291: Policy bypass in Android Autofill. Reported by Google on 2026-04-14
[N/A][502358901] Low CVE-2026-11292: Policy bypass in Blink. Reported by Google on 2026-04-14
[TBD][502362260] Low CVE-2026-11293: Use after free in Input. Reported by Weipeng Jiang (@Krace) of VRI on 2026-04-14
[N/A][502403953] Low CVE-2026-11294: Inappropriate implementation in Passwords. Reported by Google on 2026-04-14
[N/A][502444677] Low CVE-2026-11295: Inappropriate implementation in WebView. Reported by Google on 2026-04-14
[N/A][502493950] Low CVE-2026-11296: Inappropriate implementation in ImageCapture. Reported by Google on 2026-04-14
[N/A][502502017] Low CVE-2026-11297: Insufficient validation of untrusted input in Reader Mode. Reported by Google on 2026-04-14
[N/A][502503860] Low CVE-2026-11298: Insufficient policy enforcement in Chrome for iOS. Reported by Google on 2026-04-14
[TBD][502598424] Low CVE-2026-11299: Out of bounds read in Fonts. Reported by sharadboni@gmail.com on 2026-04-14
[N/A][503614310] Low CVE-2026-11300: Inappropriate implementation in Permissions. Reported by Google on 2026-04-17
[N/A][504180386] Low CVE-2026-11301: Out of bounds read in LiveCaption. Reported by Google on 2026-04-19
[N/A][504196549] Low CVE-2026-11302: Insufficient policy enforcement in Chrome for iOS. Reported by Google on 2026-04-19
[N/A][504416752] Low CVE-2026-11303: Use after free in PDFium. Reported by Google on 2026-04-20
[N/A][504418475] Low CVE-2026-11304: Use after free in PDFium. Reported by Google on 2026-04-20
[N/A][504545544] Low CVE-2026-11305: Use after free in PDFium. Reported by Google on 2026-04-20
[N/A][504548949] Low CVE-2026-11306: Use after free in PDFium. Reported by Google on 2026-04-20
[N/A][504551617] Low CVE-2026-11307: Use after free in PDFium. Reported by Google on 2026-04-20
[N/A][505945112] Low CVE-2026-11308: Inappropriate implementation in Extensions. Reported by Google on 2026-04-24
[N/A][506392934] Low CVE-2026-11309: Insufficient policy enforcement in History. Reported by Google on 2026-04-25
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.
Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.
Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
Srinivas Sista
Google Chrome
The Stable channel has been updated to 149.0.7827.53/.54 for Windows and Mac as part of our early stable release to a small percentage of users. A full list of changes in this build is available in the log.
You can find more details about early Stable releases here.
Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
Srinivas Sista
Google Chrome
The Stable channel has been updated to 148.0.7778.216/217 for Windows and 148.0.7778.215/216 Mac and 148.0.7778.215 for Linux, which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log
Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.
This update includes 151 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.
[$43000][505077859] Critical CVE-2026-9872: Out of bounds write in GPU. Reported by cinzinga on 2026-04-21
[$43000][507365348] Critical CVE-2026-9873: Use after free in Network. Reported by cinzinga on 2026-04-28
[$11000][500609038] Critical CVE-2026-9874: Use after free in Dawn. Reported by Anonymous on 2026-04-08
[$5000][507508103] Critical CVE-2026-9875: Out of bounds read in WebGL. Reported by Anonymous on 2026-04-29
[TBD][493747593] Critical CVE-2026-9876: Use after free in WebGL. Reported by happy2me on 2026-03-18
[N/A][496445460] Critical CVE-2026-9877: Use after free in ANGLE. Reported by Google on 2026-03-26
[N/A][499054245] Critical CVE-2026-9878: Use after free in ANGLE. Reported by Google on 2026-04-02
[N/A][499129768] Critical CVE-2026-9879: Out of bounds write in ANGLE. Reported by Google on 2026-04-03
[N/A][503615025] Critical CVE-2026-9880: Insufficient validation of untrusted input in WebGL. Reported by Google on 2026-04-17
[N/A][505140741] Critical CVE-2026-9881: Use after free in Bluetooth. Reported by Google on 2026-04-22
[N/A][506375217] Critical CVE-2026-9882: Integer overflow in ANGLE. Reported by Google on 2026-04-25
[N/A][506477192] Critical CVE-2026-9883: Use after free in Base. Reported by Google on 2026-04-25
[N/A][508289938] Critical CVE-2026-9884: Use after free in Browser. Reported by Google on 2026-04-30
[N/A][508452241] Critical CVE-2026-9885: Insufficient validation of untrusted input in UI. Reported by Google on 2026-05-01
[N/A][508456788] Critical CVE-2026-9886: Use after free in Base. Reported by Google on 2026-05-01
[N/A][511249104] Critical CVE-2026-9887: Use after free in Proxy. Reported by Google on 2026-05-08
[N/A][511715166] Critical CVE-2026-9888: Use after free in WebView. Reported by Google on 2026-05-10
[N/A][511727159] Critical CVE-2026-9889: Out of bounds read and write in Dawn. Reported by Google on 2026-05-10
[N/A][513135985] Critical CVE-2026-9890: Use after free in XR. Reported by Google on 2026-05-14
[N/A][513508128] Critical CVE-2026-9891: Use after free in Extensions. Reported by Google on 2026-05-15
[N/A][513948178] Critical CVE-2026-9892: Inappropriate implementation in Skia. Reported by Google on 2026-05-16
[N/A][513972075] Critical CVE-2026-9893: Use after free in Skia. Reported by Google on 2026-05-17
[$25000][507707838] High CVE-2026-9894: Use after free in GPU. Reported by tohafrit on 2026-04-29
[$3000][491685406] High CVE-2026-9895: Out of bounds read in GPU. Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-03-11
[$500][508811474] High CVE-2026-9896: Out of bounds write in V8. Reported by 303f06e3 on 2026-05-02
[N/A][496271580] High CVE-2026-9897: Use after free in DOM. Reported by Google on 2026-03-25
[N/A][496282591] High CVE-2026-9898: Insufficient validation of untrusted input in GPU. Reported by Google on 2026-03-25
[N/A][497533569] High CVE-2026-9899: Use after free in ANGLE. Reported by Google on 2026-03-29
[N/A][497637277] High CVE-2026-9900: Out of bounds write in ANGLE. Reported by Google on 2026-03-30
[N/A][497737770] High CVE-2026-9901: Use after free in ANGLE. Reported by Google on 2026-03-30
[N/A][498205735] High CVE-2026-9902: Use after free in Accessibility. Reported by Google on 2026-03-31
[N/A][498783665] High CVE-2026-9903: Insufficient validation of untrusted input in Site Isolation. Reported by Google on 2026-04-02
[N/A][498804020] High CVE-2026-9904: Use after free in ANGLE. Reported by Google on 2026-04-02
[N/A][498883610] High CVE-2026-9905: Use after free in Accessibility. Reported by Google on 2026-04-02
[N/A][499005260] High CVE-2026-9906: Out of bounds write in GPU. Reported by Google on 2026-04-02
[N/A][499091269] High CVE-2026-9907: Out of bounds read in Dawn. Reported by Google on 2026-04-03
[N/A][499091328] High CVE-2026-9908: Out of bounds read in ANGLE. Reported by Google on 2026-04-03
[N/A][499152771] High CVE-2026-9909: Integer overflow in Skia. Reported by Google on 2026-04-03
[N/A][499176133] High CVE-2026-9910: Out of bounds memory access in ANGLE. Reported by Google on 2026-04-03
[N/A][499205491] High CVE-2026-9911: Integer overflow in ANGLE. Reported by Google on 2026-04-03
[N/A][499873765] High CVE-2026-9912: Inappropriate implementation in GPU. Reported by Google on 2026-04-06
[N/A][500046096] High CVE-2026-9913: Inappropriate implementation in ANGLE. Reported by Google on 2026-04-06
[N/A][500047428] High CVE-2026-9914: Insufficient validation of untrusted input in ANGLE. Reported by Google on 2026-04-06
[N/A][500063836] High CVE-2026-9915: Heap buffer overflow in ANGLE. Reported by Google on 2026-04-06
[N/A][500080303] High CVE-2026-9916: Out of bounds write in ANGLE. Reported by Google on 2026-04-06
[N/A][500095304] High CVE-2026-9917: Uninitialized Use in WebGL. Reported by Google on 2026-04-06
[N/A][500099471] High CVE-2026-9918: Inappropriate implementation in Tint. Reported by Google on 2026-04-06
[N/A][500114058] High CVE-2026-9919: Out of bounds read in WebGL. Reported by Google on 2026-04-06
[N/A][500138014] High CVE-2026-9920: Uninitialized Use in GPU. Reported by Google on 2026-04-07
[N/A][500150338] High CVE-2026-9921: Uninitialized Use in WebGL. Reported by Google on 2026-04-07
[N/A][500187083] High CVE-2026-9922: Use after free in GPU. Reported by Google on 2026-04-07
[N/A][500393328] High CVE-2026-9923: Use after free in Skia. Reported by Google on 2026-04-07
[N/A][500398345] High CVE-2026-9924: Heap buffer overflow in ANGLE. Reported by Google on 2026-04-07
[N/A][500536458] High CVE-2026-9925: Use after free in ANGLE. Reported by Google on 2026-04-08
[N/A][500540748] High CVE-2026-9926: Heap buffer overflow in ANGLE. Reported by Google on 2026-04-08
[N/A][500540958] High CVE-2026-9927: Use after free in ANGLE. Reported by Google on 2026-04-08
[TBD][501125002] High CVE-2026-9928: Out of bounds read in ANGLE. Reported by Jeff Muizelaar - Mozilla on 2026-04-09
[N/A][501367791] High CVE-2026-9929: Inappropriate implementation in WebGL. Reported by Google on 2026-04-10
[N/A][501499832] High CVE-2026-9930: Out of bounds write in Dawn. Reported by Google on 2026-04-10
[N/A][501524262] High CVE-2026-9931: Use after free in GPU. Reported by Google on 2026-04-10
[N/A][501563323] High CVE-2026-9932: Use after free in ANGLE. Reported by Google on 2026-04-11
[N/A][501575979] High CVE-2026-9933: Use after free in Input. Reported by Google on 2026-04-11
[N/A][501576946] High CVE-2026-9934: Use after free in Aura. Reported by Google on 2026-04-11
[N/A][501584689] High CVE-2026-9935: Uninitialized Use in ANGLE. Reported by Google on 2026-04-11
[N/A][502104354] High CVE-2026-9936: Use after free in GFX. Reported by Google on 2026-04-13
[N/A][502112506] High CVE-2026-9937: Use after free in UI. Reported by Google on 2026-04-13
[N/A][502300817] High CVE-2026-9938: Inappropriate implementation in V8. Reported by Google on 2026-04-13
[N/A][502735235] High CVE-2026-9939: Heap buffer overflow in WebCodecs. Reported by Google on 2026-04-15
[N/A][502738003] High CVE-2026-9940: Heap buffer overflow in ANGLE. Reported by Google on 2026-04-15
[N/A][502812366] High CVE-2026-9941: Use after free in ANGLE. Reported by Google on 2026-04-15
[N/A][503438092] High CVE-2026-9942: Uninitialized Use in ANGLE. Reported by Google on 2026-04-16
[N/A][503464551] High CVE-2026-9943: Out of bounds read in WebGL. Reported by Google on 2026-04-16
[N/A][503471286] High CVE-2026-9944: Uninitialized Use in ANGLE. Reported by Google on 2026-04-16
[N/A][503565293] High CVE-2026-9945: Use after free in Media. Reported by Google on 2026-04-17
[N/A][503596863] High CVE-2026-9946: Use after free in ANGLE. Reported by Google on 2026-04-17
[N/A][503627446] High CVE-2026-9947: Use after free in XML. Reported by Google on 2026-04-17
[N/A][503790201] High CVE-2026-9948: Use after free in Views. Reported by Google on 2026-04-17
[N/A][503793153] High CVE-2026-9949: Use after free in Core. Reported by Google on 2026-04-17
[N/A][503862359] High CVE-2026-9950: Insufficient validation of untrusted input in iOS. Reported by Google on 2026-04-17
[N/A][503873388] High CVE-2026-9951: Use after free in UI. Reported by Google on 2026-04-17
[N/A][503929476] High CVE-2026-9952: Use after free in WebAudio. Reported by Google on 2026-04-18
[N/A][503985322] High CVE-2026-9953: Out of bounds read in ANGLE. Reported by Google on 2026-04-18
[TBD][504175497] High CVE-2026-9954: Use after free in TabStrip. Reported by yueliu of Microsoft on 2026-04-19
[N/A][504184408] High CVE-2026-9955: Inappropriate implementation in iOS. Reported by Google on 2026-04-19
[N/A][504195132] High CVE-2026-9956: Use after free in iOS. Reported by Google on 2026-04-19
[N/A][504516117] High CVE-2026-9957: Use after free in PDF. Reported by Google on 2026-04-20
[N/A][504555886] High CVE-2026-9958: Use after free in PDFium. Reported by Google on 2026-04-20
[N/A][504557432] High CVE-2026-9959: Race in WebRTC. Reported by Google on 2026-04-20
[N/A][504573260] High CVE-2026-9960: Integer overflow in PDFium. Reported by Google on 2026-04-20
[N/A][504710769] High CVE-2026-9961: Use after free in SurfaceCapture. Reported by Google on 2026-04-20
[N/A][504716948] High CVE-2026-9962: Use after free in WebRTC. Reported by Google on 2026-04-20
[N/A][505143241] High CVE-2026-9963: Uninitialized Use in iOS. Reported by Google on 2026-04-22
[N/A][505190999] High CVE-2026-9964: Use after free in Bluetooth. Reported by Google on 2026-04-22
[N/A][506377574] High CVE-2026-9965: Out of bounds write in ANGLE. Reported by Google on 2026-04-25
[N/A][506388321] High CVE-2026-9966: Integer overflow in XML. Reported by Google on 2026-04-25
[N/A][506414791] High CVE-2026-9967: Out of bounds write in GPU. Reported by Google on 2026-04-25
[N/A][506499280] High CVE-2026-9968: Integer overflow in V8. Reported by Google on 2026-04-25
[N/A][506550494] High CVE-2026-9969: Insufficient validation of untrusted input in ANGLE. Reported by Google on 2026-04-26
[TBD][506653647] High CVE-2026-9970: Use after free in WebGL. Reported by TFGC on 2026-04-26
[N/A][508448586] High CVE-2026-9971: Inappropriate implementation in iOS. Reported by Google on 2026-05-01
[N/A][508463705] High CVE-2026-9972: Uninitialized Use in Gamepad. Reported by Google on 2026-05-01
[TBD][509268941] High CVE-2026-9973: Out of bounds write in V8. Reported by amyb of OpenAI on 2026-05-04
[N/A][511710468] High CVE-2026-9974: Out of bounds write in GPU. Reported by Google on 2026-05-10
[N/A][511719039] High CVE-2026-9975: Out of bounds read and write in ANGLE. Reported by Google on 2026-05-10
[N/A][511732828] High CVE-2026-9976: Inappropriate implementation in USB. Reported by Google on 2026-05-10
[N/A][511741173] High CVE-2026-9977: Insufficient validation of untrusted input in WebShare. Reported by Google on 2026-05-10
[N/A][511741396] High CVE-2026-9978: Use after free in Glic. Reported by Google on 2026-05-10
[N/A][511742228] High CVE-2026-9979: Insufficient validation of untrusted input in Input. Reported by Google on 2026-05-10
[N/A][511776372] High CVE-2026-9980: Insufficient validation of untrusted input in Printing. Reported by Google on 2026-05-10
[N/A][512995705] High CVE-2026-9981: Inappropriate implementation in Skia. Reported by Google on 2026-05-13
[N/A][513001247] High CVE-2026-9982: Insufficient validation of untrusted input in ANGLE. Reported by Google on 2026-05-13
[N/A][513001309] High CVE-2026-9983: Type Confusion in Skia. Reported by Google on 2026-05-14
[N/A][513002543] High CVE-2026-9984: Use after free in UI. Reported by Google on 2026-05-14
[N/A][513019760] High CVE-2026-9985: Insufficient validation of untrusted input in Media. Reported by Google on 2026-05-14
[N/A][513028160] High CVE-2026-9986: Insufficient validation of untrusted input in OptimizationGuide. Reported by Google on 2026-05-14
[N/A][513046475] High CVE-2026-9987: Insufficient validation of untrusted input in WebAppInstalls. Reported by Google on 2026-05-14
[N/A][513049286] High CVE-2026-9988: Use after free in WebRTC. Reported by Google on 2026-05-14
[N/A][513054053] High CVE-2026-9989: Inappropriate implementation in Media. Reported by Google on 2026-05-14
[N/A][513128608] High CVE-2026-9990: Use after free in WebAppInstalls. Reported by Google on 2026-05-14
[N/A][513173565] High CVE-2026-9991: Inappropriate implementation in Media. Reported by Google on 2026-05-14
[N/A][513177826] High CVE-2026-9992: Use after free in Network. Reported by Google on 2026-05-14
[N/A][513208588] High CVE-2026-9993: Use after free in Views. Reported by Google on 2026-05-14
[N/A][513235131] High CVE-2026-9994: Use after free in Core. Reported by Google on 2026-05-14
[N/A][513256572] High CVE-2026-9995: Use after free in WebXR. Reported by Google on 2026-05-14
[N/A][513268100] High CVE-2026-9996: Out of bounds read in WebRTC. Reported by Google on 2026-05-14
[N/A][513324041] High CVE-2026-9997: Use after free in Input. Reported by Google on 2026-05-14
[N/A][513337118] High CVE-2026-9998: Integer overflow in Skia. Reported by Google on 2026-05-14
[N/A][513364480] High CVE-2026-9999: Inappropriate implementation in ANGLE. Reported by Google on 2026-05-15
[N/A][513505608] High CVE-2026-10000: Use after free in Passwords. Reported by Google on 2026-05-15
[N/A][513505927] High CVE-2026-10001: Use after free in PerformanceManager. Reported by Google on 2026-05-15
[N/A][513536416] High CVE-2026-10002: Use after free in PDFium. Reported by Google on 2026-05-15
[N/A][513609324] High CVE-2026-10003: Use after free in Views. Reported by Google on 2026-05-15
[N/A][513730012] High CVE-2026-10004: Insufficient validation of untrusted input in Passwords. Reported by Google on 2026-05-16
[N/A][513750089] High CVE-2026-10005: Use after free in WebAppInstalls. Reported by Google on 2026-05-16
[N/A][513750691] High CVE-2026-10006: Race in WebAudio. Reported by Google on 2026-05-16
[N/A][513754619] High CVE-2026-10007: Use after free in SVG. Reported by Google on 2026-05-16
[N/A][513768979] High CVE-2026-10008: Uninitialized Use in GPU. Reported by Google on 2026-05-16
[N/A][513973560] High CVE-2026-10009: Integer overflow in Skia. Reported by Google on 2026-05-17
[N/A][513995565] High CVE-2026-10010: Inappropriate implementation in Input. Reported by Google on 2026-05-17
[N/A][514017326] High CVE-2026-10011: Inappropriate implementation in Skia. Reported by Google on 2026-05-17
[N/A][514063977] High CVE-2026-10012: Use after free in Skia. Reported by Google on 2026-05-17
[N/A][514715455] High CVE-2026-10013: Use after free in WebCodecs. Reported by Google on 2026-05-19
[N/A][514742327] High CVE-2026-10014: Use after free in WebMIDI. Reported by Google on 2026-05-19
[N/A][514746176] High CVE-2026-10015: Integer overflow in WTF. Reported by Google on 2026-05-19
[TBD][515155946] High CVE-2026-10016: Use after free in DOM. Reported by pwn2addr on 2026-05-20
[$3000][504156069] Medium CVE-2026-10017: Out of bounds read in Headless. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-04-19
[$2000][504175501] Medium CVE-2026-10018: Integer overflow in ANGLE. Reported by Rahul Raj on 2026-04-19
[$2000][505056913] Medium CVE-2026-10019: Integer overflow in ANGLE. Reported by Mufeed VH from Winfunc Research (winfunc.com) on 2026-04-21
[N/A][496565479] Medium CVE-2026-10020: Insufficient validation of untrusted input in Skia. Reported by Google on 2026-03-26
[N/A][497327715] Medium CVE-2026-10021: Insufficient validation of untrusted input in USB. Reported by Google on 2026-03-29
[TBD][513289241] Medium CVE-2026-10022: Type Confusion in V8. Reported by ggwhyp on 2026-05-14
Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.
Srinivas Sista
Google Chrome
The Stable channel has been updated to 149.0.7827.22/.23 for Windows and Mac (149.0.7827.29/.30) ,as part of our early stable release to a small percentage of users. A full list of changes in this build is available in the log.
You can find more details about early Stable releases here.
Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
Srinivas Sista
Google Chrome
The Stable channel has been updated to 148.0.7778.178/179 for Windows/Mac and 148.0.7778.178 for Linux, which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log
Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
This update includes 16 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.
[N/A][504551032] Critical CVE-2026-9111: Use after free in WebRTC. Reported by Google on 2026-04-20
[N/A][503551154] Critical CVE-2026-9110: Inappropriate implementation in UI. Reported by Google on 2026-04-20
[$11000][489791425] High CVE-2026-9112: Use after free in GPU. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-05
[$3000][489585044] High CVE-2026-9113: Out of bounds read in GPU. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-04
[N/A][495798630] High CVE-2026-9114: Use after free in QUIC. Reported by Google on 2026-03-24
[N/A][495999481] High CVE-2026-9115: Insufficient policy enforcement in Service Worker. Reported by Google on 2026-03-25
[N/A][497436273] High CVE-2026-9116: Insufficient policy enforcement in ServiceWorker. Reported by Google on 2026-03-29
[N/A][497542537] High CVE-2026-9117: Type Confusion in GFX. Reported by Google on 2026-04-01
[N/A][498702233] High CVE-2026-9118: Use after free in XR. Reported by Google on 2026-04-14
[N/A][502661101] High CVE-2026-9119: Heap buffer overflow in WebRTC. Reported by Google on 2026-04-17
[N/A][504620824] High CVE-2026-9120: Use after free in WebRTC. Reported by Google on 2026-04-20
[N/A][496280532] Medium CVE-2026-9126: Use after free in DOM. Reported by Google on 2026-03-25
[TBD][488064108] Medium CVE-2026-9121: Out of bounds read in GPU. Reported by David Korczynski (Adalogics) on 2026-02-26
[TBD][489579953] Medium CVE-2026-9122: Out of bounds read in GPU. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-04
[N/A][495988507] Medium CVE-2026-9123: Heap buffer overflow in Chromecast. Reported by Google on 2026-03-25
[N/A][496375695] Medium CVE-2026-9124: Insufficient validation of untrusted input in Input. Reported by Google on 2026-03-29
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.
Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.
Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
Srinivas Sista
Google Chrome
Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
This update includes 79 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.
[$43000][493310462] Critical CVE-2026-8509: Heap buffer overflow in WebML. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-17
[$25000][502636904] Critical CVE-2026-8510: Integer overflow in Skia. Reported by q@calif.io on 2026-04-14
[N/A][495108488] Critical CVE-2026-8511: Use after free in UI. Reported by Google on 2026-03-22
[N/A][495782021] Critical CVE-2026-8512: Use after free in FileSystem. Reported by Google on 2026-03-24
[N/A][495939973] Critical CVE-2026-8513: Use after free in Input. Reported by Google on 2026-03-25
[N/A][495948109] Critical CVE-2026-8514: Use after free in Aura. Reported by Google on 2026-03-25
[N/A][495999127] Critical CVE-2026-8515: Use after free in HID. Reported by Google on 2026-03-25
[N/A][496393078] Critical CVE-2026-8516: Insufficient validation of untrusted input in DataTransfer. Reported by Google on 2026-03-26
[N/A][497531263] Critical CVE-2026-8517: Object lifecycle issue in WebShare. Reported by Google on 2026-03-29
[N/A][497830330] Critical CVE-2026-8518: Use after free in Blink. Reported by Google on 2026-03-30
[N/A][498400132] Critical CVE-2026-8519: Integer overflow in ANGLE. Reported by Google on 2026-04-01
[N/A][503619813] Critical CVE-2026-8520: Race in Payments. Reported by Google on 2026-04-17
[N/A][504106200] Critical CVE-2026-8521: Use after free in Tab Groups. Reported by Google on 2026-04-18
[N/A][504185107] Critical CVE-2026-8522: Use after free in Downloads. Reported by Google on 2026-04-19
[$25000][483956252] High CVE-2026-8523: Use after free in Mojo. Reported by Paul Seekamp / nullenc0de on 2026-02-12
[$10000][503425922] High CVE-2026-8558: Out of bounds write in Fonts. Reported by Matej Smycka on 2026-04-16
[$7000][499565267] High CVE-2026-8524: Out of bounds write in WebAudio. Reported by Brendan Dolan-Gavitt, XBOW on 2026-04-06
[$2000][497928952] High CVE-2026-8525: Heap buffer overflow in ANGLE. Reported by Nathaniel Oh (@calysteon) on 2026-03-30
[TBD][486536241] High CVE-2026-8526: Out of bounds write in WebRTC. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-22
[TBD][486761172] High CVE-2026-8527: Insufficient validation of untrusted input in Downloads. Reported by rachmat.abdul.ro on 2026-02-23
[N/A][490222151] High CVE-2026-8529: Heap buffer overflow in Codecs. Reported by Google on 2026-03-06
[N/A][491930142] High CVE-2026-8530: Use after free in Network. Reported by Google on 2026-03-11
[TBD][492350403] High CVE-2026-8531: Heap buffer overflow in WebML. Reported by Syn4pse on 2026-03-13
[N/A][492812194] High CVE-2026-8532: Integer overflow in XML. Reported by Google on 2026-03-14
[N/A][495247950] High CVE-2026-8533: Use after free in Accessibility. Reported by Google on 2026-03-23
[N/A][495314407] High CVE-2026-8534: Integer overflow in GPU. Reported by Google on 2026-03-23
[N/A][495530312] High CVE-2026-8535: Out of bounds read in Media. Reported by Google on 2026-03-23
[N/A][495857582] High CVE-2026-8536: Insufficient validation of untrusted input in ReadingMode. Reported by Google on 2026-03-24
[N/A][495890000] High CVE-2026-8537: Insufficient policy enforcement in ViewTransitions. Reported by Google on 2026-03-24
[N/A][496415073] High CVE-2026-8538: Insufficient validation of untrusted input in GPU. Reported by Google on 2026-03-26
[TBD][496524586] High CVE-2026-8539: Script injection in SanitizerAPI. Reported by Jungwoo Lee (@physicube) and Wongi Lee (@_qwerty_po) on 2026-03-26
[TBD][496627235] High CVE-2026-8540: Type Confusion in V8. Reported by Google on 2026-03-26
[N/A][496645393] High CVE-2026-8541: Out of bounds read in UI. Reported by Google on 2026-03-26
[N/A][497066659] High CVE-2026-8542: Use after free in Core. Reported by Google on 2026-03-28
[N/A][497095799] High CVE-2026-8543: Out of bounds read in FileSystem. Reported by Google on 2026-03-28
[N/A][497151750] High CVE-2026-8544: Use after free in Media. Reported by Google on 2026-03-28
[N/A][497486030] High CVE-2026-8545: Object corruption in Compositing. Reported by Google on 2026-03-29
[N/A][497531791] High CVE-2026-8546: Out of bounds read in GPU. Reported by Google on 2026-03-29
[N/A][497632199] High CVE-2026-8547: Insufficient policy enforcement in Passwords. Reported by Google on 2026-03-30
[N/A][497821764] High CVE-2026-8548: Out of bounds write in Media. Reported by Google on 2026-03-30
[N/A][497985088] High CVE-2026-8549: Use after free in Media. Reported by Google on 2026-03-31
[N/A][498322453] High CVE-2026-8550: Use after free in Google Lens. Reported by Google on 2026-03-31
[N/A][498376171] High CVE-2026-8551: Use after free in Downloads. Reported by Google on 2026-04-01
[N/A][498706958] High CVE-2026-8552: Heap buffer overflow in GPU. Reported by Google on 2026-04-01
[N/A][498715368] High CVE-2026-8553: Use after free in GPU. Reported by Google on 2026-04-01
[N/A][499131214] High CVE-2026-8554: Type Confusion in ANGLE. Reported by Google on 2026-04-03
[N/A][500033878] High CVE-2026-8555: Use after free in GTK. Reported by Google on 2026-04-06
[N/A][500052361] High CVE-2026-8556: Inappropriate implementation in ANGLE. Reported by Google on 2026-04-06
[N/A][502978647] High CVE-2026-8557: Use after free in Accessibility. Reported by Google on 2026-04-15
[N/A][504629701] High CVE-2026-8559: Integer overflow in Internationalization. Reported by Google on 2026-04-20
[N/A][487795397] Medium CVE-2026-8528: Insufficient validation of untrusted input in SiteIsolation. Reported by Google on 2026-02-26
[TBD][328109821] Medium CVE-2026-8560: Heap buffer overflow in SwiftShader. Reported by Cassidy Kim(@cassidy6564) on 2024-03-05
[TBD][343352552] Medium CVE-2026-8561: Incorrect security UI in Fullscreen. Reported by Wolfgang Ettlinger (aff. Certitude Consulting GmbH)
Alexander Hurbean (aff. Certitude Consulting GmbH) on 2024-05-29
[N/A][40057534] Medium CVE-2026-8562: Side-channel information leakage in Navigation. Reported by Google on 2021-10-06
[TBD][40061220] Medium CVE-2026-8563: Insufficient policy enforcement in IFrame Sandbox. Reported by Luan Herrera (@lbherrera_) on 2022-10-04
[TBD][418273622] Medium CVE-2026-8564: Incorrect security UI in Downloads. Reported by Alesandro Ortiz https://AlesandroOrtiz.com on 2025-05-16
[TBD][442860473] Medium CVE-2026-8565: Inappropriate implementation in Downloads. Reported by Farras Givari on 2025-09-04
[TBD][470646792] Medium CVE-2026-8566: Insufficient policy enforcement in Payments. Reported by Jorian Woltjer on 2025-12-21
[TBD][484986863] Medium CVE-2026-8567: Integer overflow in ANGLE. Reported by cinzinga on 2026-02-16
[TBD][488728570] Medium CVE-2026-8568: Insufficient policy enforcement in AI. Reported by Tianyi Hu on 2026-03-01
[N/A][490229299] Medium CVE-2026-8569: Out of bounds write in Codecs. Reported by Google on 2026-03-06
[N/A][490353576] Medium CVE-2026-8570: Type Confusion in V8. Reported by Google on 2026-03-06
[TBD][491422244] Medium CVE-2026-8571: Insufficient policy enforcement in GPU. Reported by Mark Blaszczyk on 2026-03-10
[N/A][495405493] Medium CVE-2026-8572: Insufficient policy enforcement in Network. Reported by Google on 2026-03-23
[N/A][495417883] Medium CVE-2026-8573: Integer overflow in Codecs. Reported by Google on 2026-03-23
[N/A][495902113] Medium CVE-2026-8574: Use after free in Core. Reported by Google on 2026-03-24
[N/A][496217775] Medium CVE-2026-8575: Use after free in UI. Reported by Google on 2026-03-25
[N/A][496231853] Medium CVE-2026-8576: Inappropriate implementation in CORS. Reported by Google on 2026-03-25
[N/A][496302307] Medium CVE-2026-8577: Integer overflow in Fonts. Reported by Google on 2026-03-25
[N/A][496395450] Medium CVE-2026-8578: Out of bounds read in GPU. Reported by Google on 2026-03-26
[N/A][496526419] Medium CVE-2026-8579: Insufficient validation of untrusted input in Skia. Reported by Google on 2026-03-26
[N/A][496639647] Medium CVE-2026-8580: Use after free in Mojo. Reported by Google on 2026-03-26
[N/A][497292072] Medium CVE-2026-8581: Use after free in GPU. Reported by Google on 2026-03-28
[N/A][497594413] Medium CVE-2026-8582: Object lifecycle issue in Dawn. Reported by Google on 2026-03-30
[N/A][497975477] Medium CVE-2026-8583: Insufficient policy enforcement in WebXR. Reported by Google on 2026-03-31
[N/A][498892595] Medium CVE-2026-8584: Inappropriate implementation in Views. Reported by Google on 2026-04-02
[N/A][499052720] Medium CVE-2026-8585: Inappropriate implementation in Media. Reported by Google on 2026-04-02
[N/A][499154022] Medium CVE-2026-8586: Inappropriate implementation in Chromoting. Reported by Google on 2026-04-03
[TBD][507356235] Medium CVE-2026-8587: Use after free in Extensions. Reported by zh1x1an1221 of Ant Group Tianqiong Security Lab on 2026-04-28
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.
Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.
Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
Srinivas Sista
Google Chrome
The Chrome team is delighted to announce the promotion of Chrome 148 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks.
Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
This update includes 127 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.
Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.
[$43000][493747582] Critical CVE-2026-7896: Integer overflow in Blink. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-18
[N/A][504069514] Critical CVE-2026-7897: Use after free in Mobile. Reported by Google on 2026-04-18
[N/A][504587882] Critical CVE-2026-7898: Use after free in Chromoting. Reported by Google on 2026-04-20
[$55000][505481948] High CVE-2026-7899: Out of bounds read and write in V8. Reported by Project WhatForLunch (@pjwhatforlunch) on 2026-04-23
[$16000][496503799] High CVE-2026-7900: Heap buffer overflow in ANGLE. Reported by Anonymous on 2026-03-26
[$16000][497724490] High CVE-2026-7901: Use after free in ANGLE. Reported by Syn4pse (@ret2happy) on 2026-03-30
[$8000][502030575] High CVE-2026-7902: Out of bounds memory access in V8. Reported by JunYoung Park(@candymate) of KAIST Hacking Lab on 2026-04-13
[TBD][491760376] High CVE-2026-7903: Integer overflow in ANGLE. Reported by heesun on 2026-03-11
[TBD][492350406] High CVE-2026-7904: Out of bounds read in Fonts. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-13
[N/A][495259842] High CVE-2026-7905: Insufficient validation of untrusted input in Media. Reported by Google on 2026-03-23
[N/A][496284584] High CVE-2026-7906: Use after free in SVG. Reported by Google on 2026-03-25
[N/A][496292089] High CVE-2026-7907: Use after free in DOM. Reported by Google on 2026-03-25
[N/A][497436531] High CVE-2026-7908: Use after free in Fullscreen. Reported by Google on 2026-03-29
[N/A][497437113] High CVE-2026-7909: Inappropriate implementation in ServiceWorker. Reported by Google on 2026-03-29
[N/A][497543810] High CVE-2026-7910: Use after free in Views. Reported by Google on 2026-03-29
[N/A][497548912] High CVE-2026-7911: Use after free in Aura. Reported by Google on 2026-03-29
[N/A][497639714] High CVE-2026-7912: Integer overflow in GPU. Reported by Google on 2026-03-30
[N/A][497936728] High CVE-2026-7913: Insufficient policy enforcement in DevTools. Reported by Google on 2026-03-30
[N/A][498401609] High CVE-2026-7914: Type Confusion in Accessibility. Reported by Google on 2026-04-01
[N/A][498454478] High CVE-2026-7915: Insufficient data validation in DevTools. Reported by Google on 2026-04-01
[N/A][498720754] High CVE-2026-7916: Insufficient data validation in InterestGroups. Reported by Google on 2026-04-01
[N/A][498752242] High CVE-2026-7917: Use after free in Fullscreen. Reported by Google on 2026-04-02
[N/A][498780188] High CVE-2026-7918: Use after free in GPU. Reported by Google on 2026-04-02
[N/A][498832921] High CVE-2026-7919: Use after free in Aura. Reported by Google on 2026-04-02
[N/A][498989348] High CVE-2026-7920: Use after free in Skia. Reported by Google on 2026-04-02
[N/A][499062376] High CVE-2026-7921: Use after free in Passwords. Reported by Google on 2026-04-02
[N/A][499449324] High CVE-2026-7922: Use after free in ServiceWorker. Reported by Google on 2026-04-04
[N/A][500080194] High CVE-2026-7923: Out of bounds write in Skia. Reported by Google on 2026-04-06
[N/A][500087204] High CVE-2026-7924: Uninitialized Use in Dawn. Reported by Google on 2026-04-06
[N/A][501833981] High CVE-2026-7925: Use after free in Chromoting. Reported by Google on 2026-04-12
[TBD][502249087] High CVE-2026-7926: Use after free in PresentationAPI. Reported by anonymous on 2026-04-14
[N/A][502830119] High CVE-2026-7927: Type Confusion in Runtime. Reported by Google on 2026-04-15
[N/A][504612429] High CVE-2026-7928: Use after free in WebRTC. Reported by Google on 2026-04-20
[N/A][504660052] High CVE-2026-7929: Use after free in MediaRecording. Reported by Google on 2026-04-20
[TBD][434825208] Medium CVE-2026-7930: Insufficient validation of untrusted input in Cookies. Reported by Satoki on 2025-07-29
[TBD][474338157] Medium CVE-2026-7931: Insufficient validation of untrusted input in iOS. Reported by Qadhafy Muhammad Tera on 2026-01-08
[TBD][481634116] Medium CVE-2026-7932: Insufficient policy enforcement in Downloads. Reported by Povcfe of Tencent Security Xuanwu Lab on 2026-02-04
[TBD][488585490] Medium CVE-2026-7933: Out of bounds read in WebCodecs. Reported by heapracer (@heapracer) on 2026-03-01
[N/A][489023922] Medium CVE-2026-7934: Insufficient validation of untrusted input in Popup Blocker. Reported by Google on 2026-03-02
[TBD][489624550] Medium CVE-2026-7935: Inappropriate implementation in Speech. Reported by Qadhafy Muhammad Tera on 2026-03-04
[TBD][490485402] Medium CVE-2026-7936: Object lifecycle issue in V8. Reported by Christian Holler on 2026-03-07
[TBD][491766258] Medium CVE-2026-7937: Insufficient policy enforcement in DevTools. Reported by lebr0nli of National Yang Ming Chiao Tung University, Dept. of CS, Security and Systems Lab on 2026-03-11
[TBD][492735384] Medium CVE-2026-7938: Use after free in CSS. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-15
[TBD][492963096] Medium CVE-2026-7939: Inappropriate implementation in SanitizerAPI. Reported by s3zer0 on 2026-03-15
[TBD][493631402] Medium CVE-2026-7940: Use after free in V8. Reported by sakana on 2026-03-17
[TBD][493955234] Medium CVE-2026-7941: Insufficient validation of untrusted input in Mobile. Reported by Adithya Kotian on 2026-03-19
[N/A][495363705] Medium CVE-2026-7942: Integer overflow in ANGLE. Reported by Google on 2026-03-23
[TBD][495373657] Medium CVE-2026-7943: Insufficient validation of untrusted input in ANGLE. Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-03-23
[N/A][495783187] Medium CVE-2026-7944: Insufficient validation of untrusted input in Persistent Cache. Reported by Google on 2026-03-24
[N/A][495802788] Medium CVE-2026-7945: Insufficient validation of untrusted input in COOP. Reported by Google on 2026-03-24
[N/A][496016840] Medium CVE-2026-7946: Insufficient policy enforcement in WebUI. Reported by Google on 2026-03-25
[N/A][496169594] Medium CVE-2026-7947: Insufficient validation of untrusted input in Network. Reported by Google on 2026-03-25
[N/A][496193452] Medium CVE-2026-7948: Race in Chromoting. Reported by Google on 2026-03-25
[N/A][496206134] Medium CVE-2026-7949: Out of bounds read in Skia. Reported by Google on 2026-03-25
[N/A][496259890] Medium CVE-2026-7950: Out of bounds read and write in GFX. Reported by Google on 2026-03-25
[TBD][496266456] Medium CVE-2026-7951: Out of bounds write in WebRTC. Reported by soft.connect.fr on 2026-03-26
[N/A][496279876] Medium CVE-2026-7952: Insufficient policy enforcement in Extensions. Reported by Google on 2026-03-25
[N/A][496379792] Medium CVE-2026-7953: Insufficient validation of untrusted input in Omnibox. Reported by Google on 2026-03-26
[N/A][496380960] Medium CVE-2026-7954: Race in Shared Storage. Reported by Google on 2026-03-26
[N/A][496441232] Medium CVE-2026-7955: Uninitialized Use in GPU. Reported by Google on 2026-03-26
[N/A][496463315] Medium CVE-2026-7956: Use after free in Navigation. Reported by Google on 2026-03-26
[N/A][496607380] Medium CVE-2026-7957: Out of bounds write in Media. Reported by Google on 2026-03-26
[N/A][496632973] Medium CVE-2026-7958: Inappropriate implementation in ServiceWorker. Reported by Google on 2026-03-26
[N/A][496645205] Medium CVE-2026-7959: Inappropriate implementation in Navigation. Reported by Google on 2026-03-26
[N/A][497007825] Medium CVE-2026-7960: Race in Speech. Reported by Google on 2026-03-27
[N/A][497008295] Medium CVE-2026-7961: Insufficient validation of untrusted input in Permissions. Reported by Google on 2026-03-27
[N/A][497081987] Medium CVE-2026-7962: Insufficient policy enforcement in DirectSockets. Reported by Google on 2026-03-28
[N/A][497250399] Medium CVE-2026-7963: Inappropriate implementation in ServiceWorker. Reported by Google on 2026-03-28
[N/A][497254383] Medium CVE-2026-7964: Insufficient validation of untrusted input in FileSystem. Reported by Google on 2026-03-28
[N/A][497255035] Medium CVE-2026-7965: Insufficient validation of untrusted input in DevTools. Reported by Google on 2026-03-28
[N/A][497341787] Medium CVE-2026-7966: Insufficient validation of untrusted input in SiteIsolation. Reported by Google on 2026-03-29
[N/A][497365545] Medium CVE-2026-7967: Insufficient validation of untrusted input in Navigation. Reported by Google on 2026-03-29
[N/A][497432281] Medium CVE-2026-7968: Insufficient validation of untrusted input in CORS. Reported by Google on 2026-03-29
[N/A][497450574] Medium CVE-2026-7969: Integer overflow in Network. Reported by Google on 2026-03-29
[N/A][497487462] Medium CVE-2026-7970: Use after free in TopChrome. Reported by Google on 2026-03-29
[N/A][497529290] Medium CVE-2026-7971: Inappropriate implementation in ORB. Reported by Google on 2026-03-29
[N/A][497546281] Medium CVE-2026-7972: Uninitialized Use in GPU. Reported by Google on 2026-03-29
[N/A][497565944] Medium CVE-2026-7973: Integer overflow in Dawn. Reported by Google on 2026-03-29
[N/A][497649372] Medium CVE-2026-7974: Use after free in Blink. Reported by Google on 2026-03-30
[N/A][497735587] Medium CVE-2026-7975: Use after free in DevTools. Reported by Google on 2026-03-30
[N/A][497736679] Medium CVE-2026-7976: Use after free in Views. Reported by Google on 2026-03-30
[N/A][497821223] Medium CVE-2026-7977: Inappropriate implementation in Canvas. Reported by Google on 2026-03-30
[N/A][497828892] Medium CVE-2026-7978: Inappropriate implementation in Companion. Reported by Google on 2026-03-30
[N/A][497849876] Medium CVE-2026-7979: Inappropriate implementation in Media. Reported by Google on 2026-03-30
[N/A][497859275] Medium CVE-2026-7980: Use after free in WebAudio. Reported by Google on 2026-03-30
[N/A][497926602] Medium CVE-2026-7981: Out of bounds read in Codecs. Reported by Google on 2026-03-30
[N/A][497952533] Medium CVE-2026-7982: Uninitialized Use in WebCodecs. Reported by Google on 2026-03-30
[N/A][497975608] Medium CVE-2026-7983: Out of bounds read in Dawn. Reported by Google on 2026-03-31
[N/A][498277368] Medium CVE-2026-7984: Use after free in ReadingMode. Reported by Google on 2026-03-31
[N/A][498352423] Medium CVE-2026-7985: Use after free in GPU. Reported by Google on 2026-03-31
[N/A][498396238] Medium CVE-2026-7986: Insufficient policy enforcement in Autofill. Reported by Google on 2026-04-01
[N/A][498696266] Medium CVE-2026-7987: Use after free in WebRTC. Reported by Google on 2026-04-01
[N/A][498753456] Medium CVE-2026-7988: Type Confusion in WebRTC. Reported by Google on 2026-04-02
[N/A][498765082] Medium CVE-2026-7989: Insufficient data validation in DataTransfer. Reported by Google on 2026-04-02
[N/A][498892267] Medium CVE-2026-7990: Insufficient validation of untrusted input in Updater. Reported by Google on 2026-04-02
[N/A][499065126] Medium CVE-2026-7991: Use after free in UI. Reported by Google on 2026-04-02
[N/A][499067529] Medium CVE-2026-7992: Insufficient validation of untrusted input in UI. Reported by Google on 2026-04-02
[N/A][499099003] Medium CVE-2026-7993: Insufficient validation of untrusted input in Payments. Reported by Google on 2026-04-03
[N/A][499116954] Medium CVE-2026-7994: Inappropriate implementation in Chromoting. Reported by Google on 2026-04-03
[N/A][501745798] Medium CVE-2026-7995: Out of bounds read in AdFilter. Reported by Google on 2026-04-11
[TBD][484547631] Low CVE-2026-7996: Insufficient validation of untrusted input in SSL. Reported by heesun on 2026-02-15
[TBD][487960705] Low CVE-2026-7997: Insufficient validation of untrusted input in Updater. Reported by ochkofficial on 2026-02-26
[TBD][491676472] Low CVE-2026-7998: Insufficient validation of untrusted input in Dialog. Reported by Tianyi Hu on 2026-03-11
[TBD][493099941] Low CVE-2026-7999: Inappropriate implementation in V8. Reported by Taisic Yun (@taisic) of Theori on 2026-03-16
[TBD][494464734] Low CVE-2026-8000: Insufficient validation of untrusted input in ChromeDriver. Reported by Ryan Jupp - HAAO on 2026-03-20
[TBD][494764371] Low CVE-2026-8001: Use after free in Printing. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-21
[N/A][495779613] Low CVE-2026-8002: Use after free in Audio. Reported by Google on 2026-03-24
[N/A][495985532] Low CVE-2026-8003: Insufficient validation of untrusted input in TabGroups. Reported by Google on 2026-03-25
[N/A][496189510] Low CVE-2026-8004: Insufficient policy enforcement in DevTools. Reported by Google on 2026-03-25
[N/A][496298665] Low CVE-2026-8005: Insufficient validation of untrusted input in Cast. Reported by Google on 2026-03-25
[N/A][496373088] Low CVE-2026-8006: Insufficient policy enforcement in DevTools. Reported by Google on 2026-03-26
[N/A][496399759] Low CVE-2026-8007: Insufficient validation of untrusted input in Cast. Reported by Google on 2026-03-26
[N/A][496426191] Low CVE-2026-8008: Inappropriate implementation in DevTools. Reported by Google on 2026-03-26
[N/A][496555077] Low CVE-2026-8009: Inappropriate implementation in Cast. Reported by Google on 2026-03-26
[N/A][496624084] Low CVE-2026-8010: Insufficient validation of untrusted input in SiteIsolation. Reported by Google on 2026-03-26
[N/A][496626029] Low CVE-2026-8011: Insufficient policy enforcement in Search. Reported by Google on 2026-03-26
[N/A][496628298] Low CVE-2026-8012: Inappropriate implementation in MHTML. Reported by Google on 2026-03-26
[N/A][497427430] Low CVE-2026-8013: Insufficient validation of untrusted input in FedCM. Reported by Google on 2026-03-29
[N/A][497490364] Low CVE-2026-8014: Inappropriate implementation in Preload. Reported by Google on 2026-03-29
[N/A][497548558] Low CVE-2026-8015: Inappropriate implementation in Media. Reported by Google on 2026-03-29
[N/A][497695401] Low CVE-2026-8016: Use after free in WebRTC. Reported by Google on 2026-03-30
[N/A][497722578] Low CVE-2026-8017: Side-channel information leakage in Media. Reported by Google on 2026-03-30
[N/A][498292657] Low CVE-2026-8018: Insufficient policy enforcement in DevTools. Reported by Google on 2026-03-31
[N/A][498353173] Low CVE-2026-8019: Insufficient policy enforcement in WebApp. Reported by Google on 2026-03-31
[N/A][498382925] Low CVE-2026-8020: Uninitialized Use in GPU. Reported by Google on 2026-04-01
[N/A][498417031] Low CVE-2026-8021: Script injection in UI. Reported by Google on 2026-04-01
[N/A][499194407] Low CVE-2026-8022: Inappropriate implementation in MHTML. Reported by Google on 2026-04-03
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.
Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
Srinivas Sista
Google Chrome
The Stable channel has been updated to 148.0.7778.96/.97 for Windows and Mac as part of our early stable release to a small percentage of users. A full list of changes in this build is available in the log.
You can find more details about early Stable releases here.
Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
Srinivas Sista
Google Chrome
The Extended Stable channel has been updated to 146.0.7680.216 for Windows and Mac which will roll out over the coming days/weeks.
The Stable channel has been updated to 147.0.7727.137/138 for Windows/Mac and 147.0.7727.137 for Linux, which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log
Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
This update includes 30 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.
[$7000][494352590] Critical CVE-2026-7363: Use after free in Canvas. Reported by heapracer on 2026-03-19
[N/A][493221953] Critical CVE-2026-7361: Use after free in iOS. Reported by Google on 2026-03-16
[N/A][503419515] Critical CVE-2026-7344: Use after free in Accessibility. Reported by Google on 2026-04-16
[N/A][503645680] Critical CVE-2026-7343: Use after free in Views. Reported by Google on 2026-04-17
[$16000][493955227] High CVE-2026-7333: Use after free in GPU. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-19
[N/A][495852034] High CVE-2026-7360: Insufficient validation of untrusted input in Compositing. Reported by Google on 2026-03-24
[N/A][496284494] High CVE-2026-7359: Use after free in ANGLE. Reported by Google on 2026-03-25
[N/A][496285281] High CVE-2026-7358: Use after free in Animation. Reported by Google on 2026-03-25
[TBD][496456528] High CVE-2026-7334: Use after free in Views. Reported by Batuhan Eşref KOÇ on 2026-03-26
[N/A][497047552] High CVE-2026-7357: Use after free in GPU. Reported by Google on 2026-03-27
[N/A][497769116] High CVE-2026-7356: Use after free in Navigation. Reported by Google on 2026-03-30
[N/A][498746519] High CVE-2026-7354: Out of bounds read and write in Angle. Reported by Google on 2026-04-01
[N/A][498809718] High CVE-2026-7353: Heap buffer overflow in Skia. Reported by Google on 2026-04-01
[N/A][499023054] High CVE-2026-7352: Use after free in Media. Reported by Google on 2026-04-02
[N/A][499119490] High CVE-2026-7351: Race in MHTML. Reported by Google on 2026-04-02
[N/A][500018484] High CVE-2026-7350: Use after free in WebMIDI. Reported by Google on 2026-04-06
[N/A][500034684] High CVE-2026-7349: Use after free in Cast. Reported by Google on 2026-04-06
[N/A][500104917] High CVE-2026-7348: Use after free in Codecs. Reported by Google on 2026-04-06
[TBD][500387779] High CVE-2026-7335: Use after free in media. Reported by Jungwoo Lee (@physicube) and Wongi Lee (@_qwerty_po) on 2026-04-07
[TBD][500767595] High CVE-2026-7336: Use after free in WebRTC. Reported by Mozilla on 2026-04-09
[TBD][500880819] High CVE-2026-7337: Type Confusion in V8. Reported by q@calif.io on 2026-04-09
[N/A][501722605] High CVE-2026-7347: Use after free in Chromoting. Reported by Google on 2026-04-11
[N/A][502206907] High CVE-2026-7346: Inappropriate implementation in Tint. Reported by Google on 2026-04-13
[N/A][502248774] High CVE-2026-7345: Insufficient validation of untrusted input in Feedback. Reported by Google on 2026-04-13
[TBD][502449857] High CVE-2026-7338: Use after free in Cast. Reported by Krace on 2026-04-14
[N/A][503889643] High CVE-2026-7342: Use after free in WebView. Reported by Google on 2026-04-17
[N/A][504586599] High CVE-2026-7341: Use after free in WebRTC. Reported by Google on 2026-04-20
[$4000][493957495] Medium CVE-2026-7339: Heap buffer overflow in WebRTC. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-19
[$3000][497896137] Medium CVE-2026-7340: Integer overflow in ANGLE. Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-03-30
[N/A][498285711] Medium CVE-2026-7355: Use after free in Media. Reported by Google on 2026-03-31
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.
Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.
Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
Srinivas Sista
The Stable channel has been updated to 148.0.7778.56/.57 for Windows and Mac as part of our early stable release to a small percentage of users. A full list of changes in this build is available in the log.
You can find more details about early Stable releases here.
Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
Srinivas Sista
Google Chrome
The Stable channel has been updated to 147.0.7727.116/117 for Windows/Mac and 147.0.7727.116 for Linux, which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log
Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
This update includes 19 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.
[TBD][493652473] High CVE-2026-6919: Use after free in DevTools. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-18
[TBD][499891888] High CVE-2026-6920: Out of bounds read in GPU. Reported by tatiwari of Microsoft on 2026-04-06
[TBD][493315759] Medium CVE-2026-6921: Race in GPU. Reported by soiax on 2026-03-17
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.
As usual, our ongoing internal security work was responsible for a wide range of fixes:
[505764421]Various fixes from internal audits, fuzzing and other initiatives
Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.
Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
Srinivas Sista
The Extended Stable channel has been updated to 146.0.7680.208 for Windows and Mac which will roll out over the coming days/weeks.
The Extended Stable channel has been updated to 146.0.7680.201 for Windows and Mac which will roll out over the coming days/weeks.
The Stable channel has been updated to 147.0.7727.101/102 for Windows/Mac and 147.0.7727.101 for Linux, which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log
Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
This update includes 31 security fixes. Please see the Chrome Security Page for more information.
[$90000][490170083] Critical CVE-2026-6296: Heap buffer overflow in ANGLE. Reported by cinzinga on 2026-03-05
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.
Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
Srinivas Sista
The Extended Stable channel has been updated to 146.0.7680.188 for Windows and Mac which will roll out over the coming days/weeks.
The Chrome team is delighted to announce the promotion of Chrome 147 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks.
Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
This update includes multiple security fixes. Please see the Chrome Security Page for more information.
[$43000][493319454] Critical CVE-2026-5858: Heap buffer overflow in WebML. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-17
[$43000][494158331] Critical CVE-2026-5859: Integer overflow in WebML. Reported by Anonymous on 2026-03-19
[$11000][486495143] High CVE-2026-5860: Use after free in WebRTC. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-22
[$3000][486927780] High CVE-2026-5861: Use after free in V8. Reported by 5shain on 2026-02-23
[TBD][470566252] High CVE-2026-5862: Inappropriate implementation in V8. Reported by Google on 2025-12-21
[TBD][484527367] High CVE-2026-5863: Inappropriate implementation in V8. Reported by Google on 2026-02-14
[TBD][490642831] High CVE-2026-5864: Heap buffer overflow in WebAudio. Reported by Syn4pse on 2026-03-08
[TBD][491884710] High CVE-2026-5865: Type Confusion in V8. Reported by Project WhatForLunch (@pjwhatforlunch) on 2026-03-12
[TBD][492218537] High CVE-2026-5866: Use after free in Media. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-13
[TBD][492668885] High CVE-2026-5867: Heap buffer overflow in WebML. Reported by Syn4pse on 2026-03-14
[TBD][493256564] High CVE-2026-5868: Heap buffer overflow in ANGLE. Reported by cinzinga on 2026-03-16
[TBD][493708165] High CVE-2026-5869: Heap buffer overflow in WebML. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-18
[TBD][495534710] High CVE-2026-5870: Integer overflow in Skia. Reported by Google on 2026-03-23
[TBD][495679730] High CVE-2026-5871: Type Confusion in V8. Reported by Google on 2026-03-24
[TBD][496281816] High CVE-2026-5872: Use after free in Blink. Reported by Google on 2026-03-25
[TBD][496301615] High CVE-2026-5873: Out of bounds read and write in V8. Reported by Google on 2026-03-25
[$11000][485397279] Medium CVE-2026-5874: Use after free in PrivateAI. Reported by Krace on 2026-02-18
[$4000][430198264] Medium CVE-2026-5875: Policy bypass in Blink. Reported by Lyra Rebane (rebane2001) on 2025-07-08
[$2000][41485206] Medium CVE-2026-5876: Side-channel information leakage in Navigation. Reported by Lyra Rebane (rebane2001) on 2023-12-18
[TBD][333024273] Medium CVE-2026-5877: Use after free in Navigation. Reported by Cassidy Kim(@cassidy6564) on 2024-04-05
[TBD][365089001] Medium CVE-2026-5878: Incorrect security UI in Blink. Reported by Shaheen Fazim on 2024-09-06
[TBD][40073848] Medium CVE-2026-5879: Insufficient validation of untrusted input in ANGLE. Reported by parkminchan, working for SSD Labs Korea on 2023-10-01
[TBD][424995036] Medium CVE-2026-5880: Incorrect security UI in browser UI. Reported by Anonymous on 2025-06-14
[TBD][454162508] Medium CVE-2026-5881: Policy bypass in LocalNetworkAccess. Reported by asnine on 2025-10-22
[TBD][480993682] Medium CVE-2026-5882: Incorrect security UI in Fullscreen. Reported by Anonymous on 2026-02-02
[TBD][482958590] Medium CVE-2026-5883: Use after free in Media. Reported by sherkito on 2026-02-09
[TBD][484547633] Medium CVE-2026-5884: Insufficient validation of untrusted input in Media. Reported by xmzyshypnc on 2026-02-15
[TBD][485203823] Medium CVE-2026-5885: Insufficient validation of untrusted input in WebML. Reported by Bryan Bernhart on 2026-02-17
[TBD][485397283] Medium CVE-2026-5886: Out of bounds read in WebAudio. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-18
[TBD][486079015] Medium CVE-2026-5887: Insufficient validation of untrusted input in Downloads. Reported by daffainfo on 2026-02-20
[TBD][486506202] Medium CVE-2026-5888: Uninitialized Use in WebCodecs. Reported by Identified by the Octane Security Team: Giovanni Vignone, Paolo Gentry, Robert van Eijk on 2026-02-22
[TBD][486906037] Medium CVE-2026-5889: Cryptographic Flaw in PDFium. Reported by mlafon on 2026-02-23
[TBD][487259772] Medium CVE-2026-5890: Race in WebCodecs. Reported by Casper Woudenberg on 2026-02-24
[TBD][487471101] Medium CVE-2026-5891: Insufficient policy enforcement in browser UI. Reported by Tianyi Hu on 2026-02-25
[TBD][487568011] Medium CVE-2026-5892: Insufficient policy enforcement in PWAs. Reported by Tianyi Hu on 2026-02-25
[TBD][487768771] Medium CVE-2026-5893: Race in V8. Reported by QYmag1c on 2026-02-26
[$1000][481882038] Low CVE-2026-5894: Inappropriate implementation in PDF. Reported by Povcfe of Tencent Security Xuanwu Lab on 2026-02-05
[TBD][374285495] Low CVE-2026-5895: Incorrect security UI in Omnibox. Reported by Renwa Hiwa @RenwaX23 on 2024-10-18
[TBD][40064543] Low CVE-2026-5896: Policy bypass in Audio. Reported by Luan Herrera (@lbherrera_) on 2023-05-13
[TBD][419921726] Low CVE-2026-5897: Incorrect security UI in Downloads. Reported by Farras Givari on 2025-05-24
[TBD][470295118] Low CVE-2026-5898: Incorrect security UI in Omnibox. Reported by saidinahikam032 on 2025-12-19
[TBD][474817168] Low CVE-2026-5899: Incorrect security UI in History Navigation. Reported by Islam Rzayev on 2026-01-11
[TBD][475265304] Low CVE-2026-5900: Policy bypass in Downloads. Reported by Luan Herrera (@lbherrera_) on 2026-01-13
[TBD][479673903] Low CVE-2026-5901: Policy bypass in DevTools. Reported by Povcfe of Tencent Security Xuanwu Lab on 2026-01-29
[TBD][483109205] Low CVE-2026-5902: Race in Media. Reported by Luke Francis on 2026-02-10
[TBD][483771899] Low CVE-2026-5903: Policy bypass in IFrameSandbox. Reported by @Ciarands on 2026-02-11
[TBD][483851888] Low CVE-2026-5904: Use after free in V8. Reported by Zhenpeng (Leo) Lin at depthfirst on 2026-02-12
[TBD][483899628] Low CVE-2026-5905: Incorrect security UI in Permissions. Reported by daffainfo on 2026-02-12
[TBD][484082189] Low CVE-2026-5906: Incorrect security UI in Omnibox. Reported by mohamedhesham9173 on 2026-02-13
[TBD][484665123] Low CVE-2026-5907: Insufficient data validation in Media. Reported by Luke Francis on 2026-02-15
[TBD][485115554] Low CVE-2026-5908: Integer overflow in Media. Reported by Ameen Basha M K & Mohammed Yasar B on 2026-02-17
[TBD][485203821] Low CVE-2026-5909: Integer overflow in Media. Reported by Mohammed Yasar B & Ameen Basha M K on 2026-02-17
[TBD][485212874] Low CVE-2026-5910: Integer overflow in Media. Reported by Ameen Basha M K & Mohammed Yasar B on 2026-02-17
[TBD][485785246] Low CVE-2026-5911: Policy bypass in ServiceWorkers. Reported by lebr0nli of National Yang Ming Chiao Tung University, Dept. of CS, Security and Systems Lab on 2026-02-19
[TBD][486498791] Low CVE-2026-5912: Integer overflow in WebRTC. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-22
[TBD][487195286] Low CVE-2026-5913: Out of bounds read in Blink. Reported by Vitaly Simonovich on 2026-02-24
[TBD][490023239] Low CVE-2026-5914: Type Confusion in CSS. Reported by Syn4pse on 2026-03-05
[TBD][494341335] Low CVE-2026-5915: Insufficient validation of untrusted input in WebML. Reported by ningxin.hu@intel.com on 2026-03-20
[TBD][490139441] Low CVE-2026-5918: Inappropriate implementation in Navigation. Reported by Google on 2026-03-05
[TBD][483423893] Low CVE-2026-5919: Insufficient validation of untrusted input in WebSockets. Reported by Richard Belisle on 2026-02-10
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.
Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.
Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
Srinivas Sista
Google Chrome
The Stable channel has been updated to 147.0.7727.49/.50 for Windows and Mac as part of our early stable release to a small percentage of users. A full list of changes in this build is available in the log.
You can find more details about early Stable releases here.
Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
Krishna Govind
Google Chrome
The Stable channel has been updated to 146.0.7680.177/178 for Windows/Mac and 146.0.7680.177 for Linux, which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log
Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
This update includes 21 security fixes. Please see the Chrome Security Page for more information.
[TBD][493952652] High CVE-2026-5273: Use after free in CSS. Reported by Anonymous on 2026-03-18
[TBD][491732188] High CVE-2026-5272: Heap buffer overflow in GPU. Reported by inspector-ambitious on 2026-03-11
[TBD][488596746] High CVE-2026-5274: Integer overflow in Codecs. Reported by heapracer (@heapracer) on 2026-03-01
[TBD][489494022] High CVE-2026-5275: Heap buffer overflow in ANGLE. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-04
[TBD][489711638] High CVE-2026-5276: Insufficient policy enforcement in WebUSB. Reported by Ariel Simon on 2026-03-04
[TBD][489791424] High CVE-2026-5277: Integer overflow in ANGLE. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-05
[TBD][490254128] High CVE-2026-5278: Use after free in Web MIDI. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-06
[TBD][490642836] High CVE-2026-5279: Object corruption in V8. Reported by Hyeonjun Ahn (@_deayzl) on 2026-03-08
[TBD][491515787] High CVE-2026-5280: Use after free in WebCodecs. Reported by heapracer (@heapracer) on 2026-03-11
[TBD][491518608] High CVE-2026-5281: Use after free in Dawn. Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-03-10
[TBD][491655161] High CVE-2026-5282: Out of bounds read in WebCodecs. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-11
[TBD][492131521] High CVE-2026-5283: Inappropriate implementation in ANGLE. Reported by sweetchip on 2026-03-12
[TBD][492139412] High CVE-2026-5284: Use after free in Dawn. Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-03-12
[TBD][492228019] High CVE-2026-5285: Use after free in WebGL. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-13
[TBD][493900619] High CVE-2026-5286: Use after free in Dawn. Reported by sweetchip on 2026-03-18
[TBD][494644471] High CVE-2026-5287: Use after free in PDF. Reported by Syn4pse on 2026-03-21
[NA][495507390] High CVE-2026-5288: Use after free in WebView. Reported by Google on 2026-03-23
[NA][495931147] High CVE-2026-5289: Use after free in Navigation. Reported by Google on 2026-03-25
[NA][496205576] High CVE-2026-5290: Use after free in Compositing. Reported by Google on 2026-03-25
[TBD][490118036] Medium CVE-2026-5291: Inappropriate implementation in WebGL. Reported by heapracer (@heapracer) on 2026-03-06
[NA][492213293] Medium CVE-2026-5292: Out of bounds read in WebCodecs. Reported by Google on 2026-03-12
Google is aware that an exploit for CVE-2026-5281 exists in the wild.
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.
Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.
Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
Srinivas Sista
The Stable channel has been updated to 147.0.7727.24/.25 for Windows and Mac as part of our early stable release to a small percentage of users. A full list of changes in this build is available in the log.
You can find more details about early Stable releases here.
Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
Srinivas Sista
Google Chrome
The Stable channel has been updated to 146.0.7680.164/165 for Windows/Mac and 146.0.7680.164 for Linux, which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log
Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
This update includes 8 security fixes. Please see the Chrome Security Page for more information.
[$7000][485397284] High CVE-2026-4673: Heap buffer overflow in WebAudio. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-18
[TBD][488188166] High CVE-2026-4674: Out of bounds read in CSS. Reported by Syn4pse on 2026-02-27
[TBD][488270257] High CVE-2026-4675: Heap buffer overflow in WebGL. Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-02-27
[TBD][488613135] High CVE-2026-4676: Use after free in Dawn. Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-03-01
[TBD][490533968] High CVE-2026-4677: Out of bounds read in WebAudio. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-07
[TBD][491164019] High CVE-2026-4678: Use after free in WebGPU. Reported by Google on 2026-03-10
[TBD][491516670] High CVE-2026-4679: Integer overflow in Fonts. Reported by GF, Un3xploitable Of DeadSec on 2026-03-11
[TBD][491869946] High CVE-2026-4680: Use after free in FedCM. Reported by Shaheen Fazim on 2026-03-12
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.
Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.
Srinivas Sista
The Stable channel has been updated to 146.0.7680.153/154 for Windows/Mac and 146.0.7680.153 for Linux, which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log
Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
This update includes 26 security fixes. Please see the Chrome Security Page for more information.
[TBD][475877320] Critical CVE-2026-4439: Out of bounds memory access in WebGL. Reported by Goodluck on 2026-01-15
[TBD][485935305] Critical CVE-2026-4440: Out of bounds read and write in WebGL. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-20
[TBD][489381399] Critical CVE-2026-4441: Use after free in Base. Reported by Google on 2026-03-03
[TBD][484751092] High CVE-2026-4442: Heap buffer overflow in CSS. Reported by Syn4pse on 2026-02-16
[TBD][485292589] High CVE-2026-4443: Heap buffer overflow in WebAudio. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-18
[TBD][486349161] High CVE-2026-4444: Stack buffer overflow in WebRTC. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-21
[TBD][486421953] High CVE-2026-4445: Use after free in WebRTC. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-22
[TBD][486421954] High CVE-2026-4446: Use after free in WebRTC. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-22
[TBD][486657483] High CVE-2026-4447: Inappropriate implementation in V8. Reported by Erge on 2026-02-23
[TBD][486972661] High CVE-2026-4448: Heap buffer overflow in ANGLE. Reported by M. Fauzan Wijaya (Gh05t666nero) on 2026-02-23
[TBD][487117772] High CVE-2026-4449: Use after free in Blink. Reported by Syn4pse on 2026-02-24
[TBD][487746373] High CVE-2026-4450: Out of bounds write in V8. Reported by qymag1c on 2026-02-26
[TBD][487768779] High CVE-2026-4451: Insufficient validation of untrusted input in Navigation. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-26
[TBD][487977696] High CVE-2026-4452: Integer overflow in ANGLE. Reported by cinzinga on 2026-02-26
[TBD][488400770] High CVE-2026-4453: Integer overflow in Dawn. Reported by sweetchip on 2026-02-27
[TBD][488585488] High CVE-2026-4454: Use after free in Network. Reported by heapracer (@heapracer) on 2026-03-01
[TBD][488585504] High CVE-2026-4455: Heap buffer overflow in PDFium. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-01
[TBD][488617440] High CVE-2026-4456: Use after free in Digital Credentials API. Reported by sean wong on 2026-02-28
[TBD][488803413] High CVE-2026-4457: Type Confusion in V8. Reported by Zhenpeng (Leo) Lin at depthfirst on 2026-03-01
[TBD][489619753] High CVE-2026-4458: Use after free in Extensions. Reported by Shaheen Fazim on 2026-03-04
[TBD][490246422] High CVE-2026-4459: Out of bounds read and write in WebAudio. Reported by Jihyeon Jeong (Compsec Lab, Seoul National University / Research Intern) on 2026-03-06
[TBD][490254124] High CVE-2026-4460: Out of bounds read in Skia. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-06
[TBD][490558172] High CVE-2026-4461: Inappropriate implementation in V8. Reported by Google on 2026-03-07
[TBD][491080830] High CVE-2026-4462: Out of bounds read in Blink. Reported by heapracer (@heapracer) on 2026-03-09
[TBD][491358681] High CVE-2026-4463: Heap buffer overflow in WebRTC. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-10
[TBD][487208468] Medium CVE-2026-4464: Integer overflow in ANGLE. Reported by heesun on 2026-02-24
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.
Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.
Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
Srinivas Sista
The Stable channel has been updated to 146.0.7680.80 for Windows/Mac and 146.0.7680.80 for Linux, which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log
Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
This update includes 1 security fix. Please see the Chrome Security Page for more information.
[N/A][491421267] High CVE-2026-3909: Out of bounds write in Skia. Reported by Google Threat Analysis Group on 2026-03-10
Google is aware that an exploit for CVE-2026-3909 exists in the wild.
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.
Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.
Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
Srinivas Sista
The Stable channel has been updated to 146.0.7680.75/76 for Windows/Mac and 146.0.7680.75 for Linux, which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log
Security Fixes and Rewards
Updated 2026-03-13: The previous version of these notes included CVE-2026-3909, the fix
for which will instead be available in a future update.
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
This update includes 1 security fix. Please see the Chrome Security Page for more information.Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
Srinivas Sista
The Chrome team is delighted to announce the promotion of Chrome 146 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks.
Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
This update includes 29 security fixes. Please see the Chrome Security Page for more information.
[$33000][483445078] Critical CVE-2026-3913: Heap buffer overflow in WebML. Reported by Tobias Wienand on 2026-02-10
[$43000][481776048] High CVE-2026-3914: Integer overflow in WebML. Reported by cinzinga on 2026-02-04
[$43000][483971526] High CVE-2026-3915: Heap buffer overflow in WebML. Reported by Tobias Wienand on 2026-02-12
[$36000][482828615] High CVE-2026-3916: Out of bounds read in Web Speech. Reported by Grischa Hauser on 2026-02-09
[$11000][483569512] High CVE-2026-3917: Use after free in Agents. Reported by Syn4pse on 2026-02-11
[$10000][483853103] High CVE-2026-3918: Use after free in WebMCP. Reported by Syn4pse on 2026-02-12
[$2000][444176961] High CVE-2026-3919: Use after free in Extensions. Reported by Huinian Yang (@vmth6) of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2025-09-10
[TBD][482875307] High CVE-2026-3920: Out of bounds memory access in WebML. Reported by Google on 2026-02-09
[TBD][484946544] High CVE-2026-3921: Use after free in TextEncoding. Reported by Pranamya Keshkamat & Cantina.xyz on 2026-02-17
[TBD][485397139] High CVE-2026-3922: Use after free in MediaStream. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-18
[TBD][485935314] High CVE-2026-3923: Use after free in WebMIDI. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-20
[TBD][487338366] High CVE-2026-3924: Use after free in WindowDialog. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-02-25
[$10000][418214610] Medium CVE-2026-3925: Incorrect security UI in LookalikeChecks. Reported by NDevTK and Alesandro Ortiz on 2025-05-17
[$7000][478659010] Medium CVE-2026-3926: Out of bounds read in V8. Reported by qymag1c on 2026-01-26
[$3000][474948986] Medium CVE-2026-3927: Incorrect security UI in PictureInPicture. Reported by Barath Stalin K on 2026-01-11
[$2000][435980394] Medium CVE-2026-3928: Insufficient policy enforcement in Extensions. Reported by portsniffer443 on 2025-08-03
[$2000][477180001] Medium CVE-2026-3929: Side-channel information leakage in ResourceTiming. Reported by Povcfe of Tencent Security Xuanwu Lab on 2026-01-20
[$1000][476898368] Medium CVE-2026-3930: Unsafe navigation in Navigation. Reported by Povcfe of Tencent Security Xuanwu Lab on 2026-01-19
[TBD][417599694] Medium CVE-2026-3931: Heap buffer overflow in Skia. Reported by Huinian Yang (@vmth6) of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2025-05-14
[TBD][478296121] Medium CVE-2026-3932: Insufficient policy enforcement in PDF. Reported by Ayato Shitomi on 2026-01-23
[TBD][478783560] Medium CVE-2026-3934: Insufficient policy enforcement in ChromeDriver. Reported by Povcfe of Tencent Security Xuanwu Lab on 2026-01-26
[TBD][479326680] Medium CVE-2026-3935: Incorrect security UI in WebAppInstalls. Reported by Barath Stalin K on 2026-01-28
[TBD][481920229] Medium CVE-2026-3936: Use after free in WebView. Reported by Am4deu$ on 2026-02-05
[$3000][473118648] Low CVE-2026-3937: Incorrect security UI in Downloads. Reported by Abhishek Kumar on 2026-01-03
[$2000][474763968] Low CVE-2026-3938: Insufficient policy enforcement in Clipboard. Reported by vicevirus on 2026-01-10
[$1000][40058077] Low CVE-2026-3939: Insufficient policy enforcement in PDF. Reported by NDevTK on 2021-11-30
[$1000][470574526] Low CVE-2026-3940: Insufficient policy enforcement in DevTools. Reported by Jorian Woltjer, Mian, bug_blitzer on 2025-12-21
[$1000][474670215] Low CVE-2026-3941: Insufficient policy enforcement in DevTools. Reported by Lyra Rebane (rebane2001) on 2026-01-10
[N/A][475238879] Low CVE-2026-3942: Incorrect security UI in PictureInPicture. Reported by Barath Stalin K on 2026-01-12
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.
Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
Srinivas Sista
Google Chrome
The Stable channel has been updated to 146.0.7680.65/.66 for Windows and Mac as part of our early stable release to a small percentage of users. A full list of changes in this build is available in the log.
You can find more details about early Stable releases here.
Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
Srinivas Sista
Google Chrome
The Extended Stable channel has been updated to 144.0.7559.236 for Windows and Mac which will roll out over the coming days/weeks.
Log in