The Extended Stable channel has been updated to 146.0.7680.201 for Windows and Mac which will roll out over the coming days/weeks.

The Stable channel has been updated to 147.0.7727.101/102 for Windows/Mac  and 147.0.7727.101 for Linux, which will roll out over the coming days/weeks. A full list of changes in this build is available in the Log

Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 31 security fixes. Please see the Chrome Security Page for more information.

[$90000][490170083] Critical CVE-2026-6296: Heap buffer overflow in ANGLE. Reported by cinzinga on 2026-03-05

[$10000][493628982] Critical CVE-2026-6297: Use after free in Proxy. Reported by heapracer on 2026-03-17

[TBD][495700484] Critical CVE-2026-6298: Heap buffer overflow in Skia. Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-03-24

[N/A][497053588] Critical CVE-2026-6299: Use after free in Prerender. Reported by Google on 2026-03-28

[TBD][497724498] Critical CVE-2026-6358: Use after free in XR. Reported by Jihyeon Jeong (Compsec Lab, Seoul National University / Research Intern) on 2026-03-30

[TBD][490251701] High CVE-2026-6359: Use after free in Video. Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-03-06

[TBD][491994185] High CVE-2026-6300: Use after free in CSS. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-03-12

[TBD][495273999] High CVE-2026-6301: Type Confusion in Turbofan. Reported by qymag1c on 2026-03-23

[TBD][495477995] High CVE-2026-6302: Use after free in Video. Reported by Syn4pse on 2026-03-24

[N/A][496282147] High CVE-2026-6303: Use after free in Codecs. Reported by Google on 2026-03-25

[N/A][496393742] High CVE-2026-6304: Use after free in Graphite. Reported by Google on 2026-03-26

[TBD][496618639] High CVE-2026-6305: Heap buffer overflow in PDFium. Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-03-26

[TBD][496907110] High CVE-2026-6306: Heap buffer overflow in PDFium. Reported by 86ac1f1587b71893ed2ad792cd7dde32 on 2026-03-27

[TBD][497404188] High CVE-2026-6307: Type Confusion in Turbofan. Reported by Project WhatForLunch (@pjwhatforlunch) on 2026-03-29

[N/A][497412658] High CVE-2026-6308: Out of bounds read in Media. Reported by Google on 2026-03-29

[N/A][497846428] High CVE-2026-6309: Use after free in Viz. Reported by Google on 2026-03-30

[TBD][497880137] High CVE-2026-6360: Use after free in FileSystem. Reported by asjidkalam on 2026-03-31

[N/A][497969820] High CVE-2026-6310: Use after free in Dawn. Reported by Google on 2026-03-31

[N/A][498201025] High CVE-2026-6311: Uninitialized Use in Accessibility. Reported by Google on 2026-03-31

[N/A][498269651] High CVE-2026-6312: Insufficient policy enforcement in Passwords. Reported by Google on 2026-03-31

[N/A][498765210] High CVE-2026-6313: Insufficient policy enforcement in CORS. Reported by Google on 2026-04-02

[N/A][498782145] High CVE-2026-6314: Out of bounds write in GPU. Reported by Google on 2026-04-02

[N/A][499247910] High CVE-2026-6315: Use after free in Permissions. Reported by Google on 2026-04-03

[N/A][499384399] High CVE-2026-6316: Use after free in Forms. Reported by Google on 2026-04-03

[N/A][500036290] High CVE-2026-6361: Heap buffer overflow in PDFium. Reported by Google on 2026-04-06

[TBD][500066234] High CVE-2026-6362: Use after free in Codecs. Reported by c6eed09fc8b174b0f3eebedcceb1e792 on 2026-04-07

[N/A][500091052] High CVE-2026-6317: Use after free in Cast. Reported by Google on 2026-04-06

[N/A][495751197] Medium CVE-2026-6363: Type Confusion in V8. Reported by Google on 2026-03-24

[TBD][495996858] Medium CVE-2026-6318: Use after free in Codecs. Reported by Syn4pse on 2026-03-25

[TBD][499018889] Medium CVE-2026-6319: Use after free in Payments. Reported by pwn2addr on 2026-04-02

[N/A][502103414] Medium CVE-2026-6364: Out of bounds read in Skia. Reported by Google Threat Intelligence on 2026-04-13

We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.

Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.

Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.

Srinivas Sista

✨ New Features & Improvements

• @directus/app
  • Replaced "All Users" tab with Active, Suspended, and Invited status tabs (#27036 by @robluton)
  • Added Save as New File option to image editor (#27084 by @JamesW1)
• @directus/api
  • Added a new /ai/object endpoint to generate structured objects for autocomplete and other inline experiences (#26862 by @bryantgillespie)
• @directus/composables
  • Eliminated redundant count requests in the useItems composable (#26906 by @okxint)

🐛 Bug Fixes & Optimizations

• @directus/app
  • Fixed export failing on collections with virtual fields like $thumbnail by excluding them from export defaults and the field picker (#27073 by @om-singh-D)
  • Added customizing of cache keys for flow endpoints. (#26935 by @costajohnt)
  • Fix "Use named routes instead of hardcoded path strings #26733" (#26809 by @powerseed)
  • Fixed VBadge intercepting pointer events on slotted elements (#27087 by @HZooly)
  • Fixed comparison modal footer responsive breakpoint (#27061 by @robluton)
  • Updated liquidjs, axios, vite, nodemailer, brace-expansion, basic-ftp, hono, fast-xml-parser, tar, (#27081 by @br41nslug)
    qs and defu dependencies
• @directus/api
  • Added customizing of cache keys for flow endpoints. (#26935 by @costajohnt)
  • Updated liquidjs, axios, vite, nodemailer, brace-expansion, basic-ftp, hono, fast-xml-parser, tar, (#27081 by @br41nslug)
    qs and defu dependencies
  • Fixed schema introspection for MSSQL text fields with max length of -1 to be normalized to null (#26934 by @begsaquib)
  • Trimmed leading and trailing spaces from search queries (#27089 by @robluton)
  • Fixed promotion of deleted relation returning invalid date time value error (#27040 by @gaetansenn)
  • Fixed api building with a node_modules folder (#27067 by @Nitwel)
  • Fixed MARKETPLACE_REGISTRY env not being passed to registry list call when generating extension settings (#27076 by @gaetansenn)
  • Replaced INTERNAL_SERVER_ERROR with SERVICE_UNAVAILABLE for marketplace registry errors and improved error messages. (#26937 by @eric-pennecot)
• @directus/schema
  • Fixed schema introspection for MSSQL text fields with max length of -1 to be normalized to null (#26934 by @begsaquib)
• @directus/themes
  • Fixed api building with a node_modules folder (#27067 by @Nitwel)
• @directus/types
  • Fixed api building with a node_modules folder (#27067 by @Nitwel)

📦 Published Versions

• @directus/app@15.9.0
• @directus/api@35.1.0
• @directus/composables@11.4.0
• create-directus-extension@11.0.35
• @directus/extensions@3.0.24
• @directus/extensions-registry@3.0.25
• @directus/extensions-sdk@17.1.3
• @directus/schema@13.0.8
• @directus/schema-builder@0.0.19
• @directus/themes@1.3.2
• @directus/types@15.0.2

The DistroWatch news feed is brought to you by TUXEDO COMPUTERS. The Zorin project has published an update to Zorin OS. The latest version of the distribution, Zorin OS 18.1, introduces improved Windows application detection which allows for easy access to native Linux alternatives, the distribution provides tiling window improvements, and updates for the desktop panel. "The panel now....

5.42.1 (2026-04-15)

🔥 Bug fix

• typo in Russian translation for upload button (#25946)
• fixed 9 typos, spelling errors, and duplicate words. (#25936)
• skip form onChange when markdown updates come from setValue (#25955)
• adjust typo in test (#25960)
• update snapshot (9b2501ceeb)
• increase test timeout (f50134dbae)
• preserve relations in fill from another locale (#25703)
• enable save button when re-ordering components or dynamic zones (#25959)
• made changes to resolve Firefox timepicker issue (#25129, #25438)
• admin: batch content manager permission checks and reuse session ability (#25911)
• core: add firstPublishedAt field to draft (#25947)
• document-service: preserve relations during publish (#25909)
• tests: type errors cause build to fail which cause tests to fail (072ad0d801)
• upload: cache busting for cross-origin images in crop (#25950)
• upload-aws-s3: trust S3 response Location URL for compatible providers (#25939)

⚙️ Chore

• fix typos in comments and docs (12dfbe97c9)
• adding finnish translation to Strapi Admin (#25620)
• fix typos in comments and docs (91407798c4)
• update Polish language translations (#23762)
• deps: bump lodash from 4.17.23 to 4.18.1 (#25919)
• deps: bump lodash-es from 4.17.23 to 4.18.1 (#25906)
• deps: bump nodemailer from 8.0.4 to 8.0.5 (#25963)
• deps: bump axios from 1.13.5 to 1.15.0 (#25980)
• deps: bump path-to-regexp from 8.4.1 to 8.4.2 (#25901)
• examples: delete config.server.url to restore port override capability (#26011)

❤️ Thank You

• Adrien L @Adzouz
• akash-dabhi-qed @akash-dabhi-qed
• Antti Tuppurainen
• Bassel Kanso @Bassel17
• Jamie Howard @jhoward1994
• Mark Kaylor @markkaylor
• mathildeleg @mathildeleg
• Michał Kleszczyński @Magiczne
• Nico André @nclsndr
• Shalabh Gupta @coding-shalabh
• Tony @tonytkachenko
• Yohaan Narayanan @yohaann196
• Yohei Yamamoto @NAM-MAN

Alpine Linux stable releases 3.20.10, 3.21.7, 3.22.4, 3.23.4

{ Taipei, Taiwan, 15 april 2026 – QNAP® Systems, Inc. heeft vandaag HDP Recovery Media Creator uitgebracht, een disaster recovery-op ...} More

The DistroWatch news feed is brought to you by TUXEDO COMPUTERS. Simon Long has announced the release of a new security update of Raspberry Pi OS, a Debian-based Linux distribution designed for the popular Raspberry Pi single-board computers. The new version, besides bringing the usual range of bug fixes and improvements, also disables the passwordless sudo: "Today we are....

[p]The following changes are available in the animgraph_2_beta build. To opt into the beta build, follow the instructions here: https://help.steampowered.com/en/faqs/view/5A86-0DF4-C59E-8C4A[/p][p][/p][p]To report bugs or provide feedback about the beta build, please email csgoteamfeedback@valvesoftware.com with the subject "AG2 Beta".[/p][p][/p][p]\[ ANIMGRAPH 2 ][/p]

• [p]Fixed wrong pose when backing into corners[/p][/*]
• [p]Improved stuttering of 3rd person aim[/p][/*]
• [p]Fixed main menu pistol poses[/p][/*]
• [p]Added missing knife draw animations[/p][/*]
• [p]Fix pop when running and switching weapons[/p][/*]
• [p]Fix pop when switching weapons after throwing a grenade[/p][/*]
• [p]Fixed head wobbling when planting C4[/p][/*]
• [p]Fixed issue when holding inspect and changing weapons[/p][/*]

[p]\[ OTHER ][/p]

• [p]Fixed a case where it was possible to climb down ladders faster than before.[/p][/*]

[p][/p][p]Please note that the client may produce a fatal error message when attempting to connect to a server running a different build.[/p]