Google Chrome 148 Update: 127 Security Vulnerabilities Patched, Including Three Critical Flaws
Google has released Chrome version 148 to the stable channel for Windows, Mac, and Linux users, marking one of the most significant security updates in the browser’s history. This update addresses 127 security vulnerabilities, including three classified as Critical, over two dozen rated High, and numerous others of Medium and Low severity.
Critical Vulnerabilities Addressed
Among the Critical vulnerabilities patched are:
– CVE-2026-7896: An integer overflow in the Blink rendering engine, reported on March 18 by an external researcher, earning a $43,000 bounty.
– CVE-2026-7897 and CVE-2026-7898: Use-after-free vulnerabilities in the Mobile component and Chromoting (Chrome Remote Desktop), respectively, both internally reported by Google in April.
Use-after-free vulnerabilities are particularly dangerous as they can allow attackers to execute arbitrary code by manipulating freed memory regions.
High-Severity Vulnerabilities
The update also addresses several High-severity vulnerabilities, including:
– CVE-2026-7899: An out-of-bounds read and write in Chrome’s V8 JavaScript engine, reported by Project WhatForLunch (@pjwhatforlunch), earning the highest individual reward of $55,000.
– CVE-2026-7900 and CVE-2026-7901: Heap buffer overflow and use-after-free bugs in ANGLE (the graphics abstraction layer), each earning $16,000 in rewards.
– CVE-2026-7902: An out-of-bounds memory access in V8, reported by JunYoung Park of KAIST Hacking Lab, earning $8,000.
These vulnerabilities represent significant risks for drive-by exploitation through maliciously crafted web pages.
Additional Vulnerabilities and Fixes
Beyond the top-tier flaws, Chrome 148 addresses a cascade of use-after-free vulnerabilities across various components, including SVG, DOM, Fullscreen, GPU, WebRTC, Skia, Passwords, ServiceWorker, PresentationAPI, and WebAudio.
Medium-severity findings include an object lifecycle issue in V8 (CVE-2026-7936), type confusion in WebRTC (CVE-2026-7988), and insufficient policy enforcement in DevTools, Extensions, and DirectSockets.
Notably, CVE-2026-8022, a Low-severity inappropriate implementation in MHTML, could allow a remote attacker to leak cross-origin data via a crafted MHTML page when a user is tricked into specific UI gestures.
Security Research and Bug Bounties
Google credited dozens of independent researchers for their contributions, including teams from KAIST Hacking Lab, Tencent Security Xuanwu Lab, National Yang Ming Chiao Tung University’s Security and Systems Lab, and Theori.
The vulnerabilities were uncovered using automated fuzzing and sanitizer tools such as AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, libFuzzer, and AFL, underscoring the scale of Google’s proactive security testing infrastructure.
User Action Required
Users across Windows, Mac, and Linux are strongly advised to update to Chrome 148.0.7778.96/97 immediately to remediate these vulnerabilities. The next stable release, Chrome 149, is scheduled for June 2, 2026.
