If you use Google Chrome or any related browser, such as Chromium, Edge, and many others, make sure you’re getting updates regularly and frequently!
Although many Chromium-based browsers try to update themselves automatically by default, and usually succeed, it’s worth knowing how to check that you really are staying up-to-date.
All the way back to the heady, bug-filled early days of Internet Explorer, browsers have been a key target for legitimate cybersecurity researchers and cybercriminals alike.
We’ve already written about the risks of using your browser for storing personal secrets such as passwords and credit card data.
But even malicious software code that runs entirely inside your browser, where it can’t view any system files, start any external programs, or snoop on any operating system activity․․․
․․․may be able, in the presence of exploitable security bugs in the browser, to extract vital secrets from your browsing.
All sorts of personal and private data is within reach inside your browser, where it could be eavesdropped and modified, including:
That’s why browser vulnerabilities are highly prized among cybercriminals and state-sponsored actors, whether those security holes ultimately allow an attacker to escape from the browser and take over the whole computer or not.
With all of this in mind, it’s been a bad week for browsers based on the Chromium project.
Google Chrome is the most widespread of these, being the primary browser for an estimated two-thirds of laptop users, and for the vast majority of Android phone owners.
On Tuesday 2026-03-10, Chrome 146 arrived, combining feature updates with 29 security fixes, including a Critical fix (CVE-2026-3913) for a buffer overflow in WebML, a machine learning subsystem in Chrome that can be used for tasks such as speech-to-text and image captioning.
Two other bugs in WebML were fixed at the same time, one an integer overflow, the other a buffer overflow, with a total of $33,000 + $43,000 + $43,000 = $119,000 paid out in bug bounties just for the three security holes in Chrome’s artificial intelligence engine.
Buffer overflows happen when part of a program saves more data into memory than it has reserved space for, thereby trampling on nearby data used for other purposes.
Attackers may be able to exploit buffer overflows to corrupt data used elsewhere, which could lead to security bypasses or data theft.
Buffer overflows may also enable attackers to divert the flow of execution in the program – either crashing it deliberately at will, or taking over completely (what’s known as remote code execution, or RCE) to implant spyware or malware.
Integer overflows happen when a program adds to a numeric value stored in a fixed number of digits, but there isn’t enough room for the answer, causing a fault in the calculation.
An excellent example is the infamous Millennium Bug.
Programs that only used two digits for the year to save space, thus representing 1999 as just 99, added 99 + 1 at the end of the year, but wrapped round back to 00 (which denoted 1900) instead of advancing to 100 (which would have denoted the year 2000).
Integer overflows in modern programs may be exploitable to manipulate values that keep track of “how much data to copy”.
This can have numerous side-effects, including tricking software into not copying enough, which could lead to private data not getting securely rewritten, or copying too much, thus causing a buffer overflow.
A further eleven memory mismanagement bugs were also fixed, with severities judged as High and Medium.
Just two days later, on Thursday 2026-03-12, Chrome 146 was updated again, this time to 146.0.7680.75 (.76 on Mac), claiming to fix two zero-day bugs – the jargon name for exploitable security holes already being abused by attackers.
But Thursday’s fix wasn’t as complete as its early documentation suggested, patching only one of the two zero-days (CVE-2026-3910) but failing to deal with the other (CVE-2026-3909).
The CVE-2026-3909 zero-day, an exploitable buffer overflow in Chrome’s Skia graphics library, was fixed in a third update to 146.0.7680.80 that arrived on Friday the Thirteenth.
Graphics-handling bugs of this sort are particularly dangerous, because almost all modern web pages contain at least some some graphical content such as a logo or icon that could be booby-trapped to trigger a known vulnerability, even if all you do is view the page.
Go to the three-dots menu at top right, and choose About Google Chrome to check your current version.
You should have 146.0.7680.80 or later.
If you don’t, Chrome should fetch and install the update for you.
Other Chrome variants include Chromium, the open-source version of Google’s proprietary Chrome (which is free but not open-source), and Ungoogled Chromium, a build of Chromium that doesn’t call home to any of Google’s tracking services. You may need to update these yourself, depending on how they were provided, or to update them through your operating system’s package manager.
Why not ask how SolCyber can help you do cybersecurity in the most human-friendly way? Don’t get stuck behind an ever-expanding convoy of security tools that leave you at the whim of policies and procedures that are dictated by the tools, even though they don’t suit your IT team, your colleagues, or your customers!
Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!
Featured image of Wi-Fi sign in Milano by Joshi Milestoner via Unsplash.
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
