Google has released a Stable Channel Update for Chrome, addressing 21 security vulnerabilities, including a high-profile code smuggling vulnerability that is actively being exploited in the wild. The update rolled out on Wednesday night.
Among the 21 security vulnerabilities fixed in this update, one in particular has drawn attention: a code smuggling vulnerability that allows attackers to inject malicious code into Chrome users’ systems. Google confirmed that this vulnerability is currently targeted by threat actors, making the update especially urgent for both individual users and organizations.
The company noted that out of the 21 vulnerabilities, 19 are classified as high-risk, while two are considered medium severity. The awareness of active exploitation in the wild highlights the importance of installing the latest Stable Channel Update as soon as possible.
Details of Chrome Stable Channel Update
According to Google’s official release, the new Stable Channel Update includes:
- Version 146.0.7680.177/178 for Windows and Mac
- Version 146.0.7680.177 for Linux
The rollout is expected to occur over the coming days and weeks, depending on user configurations and regional distributions.
Google has provided a comprehensive changelog listing all security vulnerabilities patched in this update, though access to certain bug details may remain restricted until a majority of users have installed the fix. This precaution is designed to prevent exploitation of vulnerabilities in third-party libraries that are also used by other projects.
Breakdown of High-Risk Security Vulnerabilities
The update addresses multiple high-risk vulnerabilities reported by security researchers between March 1 and March 25, 2026. Some of the most notable include:
- CVE-2026-5273: Use-after-free in CSS, reported March 18
- CVE-2026-5272: Heap buffer overflow in GPU, reported March 11
- CVE-2026-5274: Integer overflow in Codecs, reported March 1
- CVE-2026-5281: Use-after-free in Dawn, reported March 10 (actively exploited in the wild)
- CVE-2026-5287: Use-after-free in PDF, reported March 21
Other vulnerabilities addressed involve ANGLE, WebUSB, WebCodecs, WebGL, WebView, V8, and multiple components of Chrome’s rendering engine.
Security Fixes, Exploit Awareness, and Research Contributions
Google acknowledged the ongoing threat posed by the code smuggling vulnerability, noting that CVE-2026-5281 is actively being exploited.
The company also thanked security researchers who collaborated to identify and report these issues, citing tools such as AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL as key instruments in detecting and mitigating these security vulnerabilities before they reached the stable channel.
By publicly disclosing these vulnerabilities, Google aims to provide transparency while allowing users and organizations to patch their systems promptly.
Why Users Should Update Immediately
This Stable Channel Update highlights the ongoing risks posed by security vulnerabilities in widely used software like Chrome. The inclusion of actively exploited issues, such as the code smuggling vulnerability, highlights the potential consequences of delayed updates, which can include unauthorized code execution, data theft, or broader system compromise.
Users are strongly encouraged to install the latest Chrome update across all devices to reduce exposure to these threats. Regularly updating browsers remains one of the most effective defenses against cyberattacks targeting widely deployed software.
