CVE-2026-5289 – Google Chrome Release 146

Google Chrome Release 146 addresses multiple vulnerabilities across core browser components, including memory safety, rendering, and content processing. These issues could allow attackers to execute arbitrary code, crash the browser, or bypass security protections through malicious web content. The presence of multiple critical and high-severity vulnerabilities significantly increases the overall risk exposure.

CVE-2026-5288, CVE-2026-5289, and CVE-2026-5290 each have a CVSS score of 9.6, which is Critical severity. Numerous other vulnerabilities—including CVE-2026-5272, 5274, 5275, 5278, 5279, 5280, 5281, 5285, 5286, 5287, and 5292—have CVSS scores ranging from 7.5 to 8.8, which is High severity. Medium severity issues include CVE-2026-5273 (6.3), CVE-2026-5276 (6.5), CVE-2026-5283 (6.5), and CVE-2026-5291 (6.5).

Active exploitation has been confirmed for CVE-2026-5281, a use-after-free condition. This flaw can be triggered through malicious web content, allowing attackers to execute arbitrary code or compromise system integrity during normal browsing activity, increasing urgency for patching. No other vulnerabilities in this release show verified exploitation or public proof-of-concept code. The update strengthens memory handling, improves sandbox protections, and fixes unsafe processing of untrusted content.

List of CVEs included in this release:

• CVE-2026-5288 — 9.6
• CVE-2026-5289 — 9.6
• CVE-2026-5290 — 9.6
• CVE-2026-5272 — 8.8
• CVE-2026-5274 — 8.8
• CVE-2026-5275 — 8.8
• CVE-2026-5278 — 8.8
• CVE-2026-5279 — 8.8
• CVE-2026-5280 — 8.8
• CVE-2026-5281 — 8.8
• CVE-2026-5285 — 8.8
• CVE-2026-5286 — 8.8
• CVE-2026-5287 — 8.8
• CVE-2026-5292 — 8.8
• CVE-2026-5282 — 8.1
• CVE-2026-5277 — 7.5
• CVE-2026-5284 — 7.5
• CVE-2026-5276 — 6.5
• CVE-2026-5283 — 6.5
• CVE-2026-5291 — 6.5
• CVE-2026-5273 — 6.3