Google Urgently Patches Critical Chrome Vulnerabilities Enabling Remote Code Execution
Google has released an urgent security update for its Chrome browser, addressing 16 vulnerabilities, including two critical flaws that could allow attackers to execute arbitrary code on affected systems. The Stable channel has been updated to version 148.0.7778.178/179 for Windows and Mac, and 148.0.7778.178 for Linux, with the rollout expected to complete over the coming days.
Critical Vulnerabilities Patched
The two most severe vulnerabilities, both rated as Critical, were reported internally by Google on April 20, 2026:
– CVE-2026-9111: A Use-After-Free vulnerability in WebRTC, which could be exploited to corrupt memory and achieve remote code execution through a maliciously crafted web page.
– CVE-2026-9110: An Inappropriate Implementation flaw in the UI layer, which could allow attackers to bypass security restrictions or spoof browser interface elements.
Use-after-free vulnerabilities are particularly dangerous because they allow threat actors to manipulate freed memory regions, often leading to full system compromise when successfully chained with other exploits.
High-Severity Vulnerabilities Patched
In addition to the critical flaws, Google addressed nine High-severity vulnerabilities across multiple components:
– CVE-2026-9112: Use-After-Free in GPU, reported by an external researcher identified as c6eed09fc8b174b0f3eebedcceb1e792, earning an $11,000 bug bounty.
– CVE-2026-9113: Out-of-Bounds Read in GPU, reported by the same researcher, with a $3,000 bounty.
– CVE-2026-9114: Use-After-Free in QUIC.
– CVE-2026-9115: Insufficient Policy Enforcement in Service Worker.
– CVE-2026-9116: Insufficient Policy Enforcement in ServiceWorker.
– CVE-2026-9117: Type Confusion in GFX.
– CVE-2026-9118: Use-After-Free in XR.
– CVE-2026-9119: Heap Buffer Overflow in WebRTC.
– CVE-2026-9120: Use-After-Free in WebRTC.
These vulnerabilities span various components of the browser, highlighting the complexity and potential attack surface of modern web browsers.
Medium-Severity Vulnerabilities Patched
Google also addressed five Medium-severity issues:
– CVE-2026-9121 and CVE-2026-9122: Out-of-Bounds Reads in GPU, reported by David Korczynski of Adalogics and the same external researcher.
– CVE-2026-9123: Heap Buffer Overflow in Chromecast.
– CVE-2026-9124: Insufficient Input Validation.
– CVE-2026-9126: Use-After-Free in DOM.
Mitigation Steps
To protect against these vulnerabilities, users and administrators should take the following steps immediately:
1. Update Chrome: Navigate to `chrome://settings/help` and confirm the browser version is 148.0.7778.178 or higher.
2. Restart Chrome: Restart the browser to apply any pending updates.
3. Enterprise Deployment: Enterprise administrators should force-deploy the update via policy management tools.
4. Monitor Advisories: Keep an eye on Chrome release notes and advisories from the Cybersecurity and Infrastructure Security Agency (CISA) for any active exploitation indicators.
Google notes that bug details will remain restricted until most users have received the patch, reducing the risk of exploitation during the rollout window.
Understanding Use-After-Free Vulnerabilities
Use-after-free vulnerabilities occur when a program continues to use a pointer after it has been freed, leading to undefined behavior. In the context of a web browser, this can be exploited by attackers to execute arbitrary code, potentially leading to full system compromise. These vulnerabilities are particularly concerning because they can be triggered by simply visiting a malicious web page.
The Importance of Timely Updates
With billions of users worldwide, Chrome is a prime target for attackers. Timely updates are crucial to protect against known vulnerabilities. Users are urged to ensure their browsers are up to date to mitigate the risk of exploitation.
Conclusion
The recent Chrome update addresses multiple critical and high-severity vulnerabilities that could allow attackers to execute arbitrary code on affected systems. Users and administrators are strongly advised to update their browsers immediately to protect against potential exploits.
