A new LTS-138 version 138.0.7204.310 (Platform Version: 16295.95.0), is being rolled out for most ChromeOS devices.
This version includes selected security fixes including:
490118036 Medium CVE-2026-5291 Inappropriate implementation in WebGL.
491516670 High CVE-2026-4679 Integer overflow in Fonts. Reported by GF,
487117772 High CVE-2026-4449 Use after free in Blink.
488188166 High CVE-2026-4674 Out of bounds read in CSS.
484751092 High CVE-2026-4442 Heap buffer overflow in CSS.
487768779 High CVE-2026-4451 Insufficient validation of untrusted input in Navigation.
492213293 Medium CVE-2026-5292 Out of bounds read in WebCodecs.
491655161 Medium CVE-2026-5282 Out of bounds read in WebCodecs.
485397139 High CVE-2026-3922 Use after free in MediaStream.
491515787 High CVE-2026-5280 Use after free in WebCodecs.
489619753 High CVE-2026-4458 Use after free in Extensions.
485935314 High CVE-2026-3923 Use after free in WebMIDI.
491080830 Medium CVE-2026-4462 Out of bounds read in Blink.
488585488 High CVE-2026-4454 Use after free in Network.
488270257 High CVE-2026-4675 Heap buffer overflow in WebGL.
And also:
CVE-2025-37752, CVE-2025-37756, CVE-2025-37797, CVE-2025-37890,
CVE-2025-37997, CVE-2025-38000, CVE-2025-38001, CVE-2025-38083,
CVE-2025-38177, CVE-2025-38350, CVE-2025-38477, CVE-2025-38616,
CVE-2025-38617, CVE-2025-38618
Release notes for LTS-138 can be found here
Want to know more about Long-term Support? Click here
Andy Wu
Google ChromeOS