Google has released Chrome 148 to the stable channel, delivering one of the largest security updates in recent memory, fixing 127 vulnerabilities, including three critical-severity flaws that could allow attackers to execute arbitrary code on affected systems.
The Chrome team officially promoted Chrome 148 to the stable channel on May 5, 2026, rolling out version 148.0.7778.96 for Linux and 148.0.7778.96/97 for Windows and Mac. The update addresses an unusually high number of security issues.
It follows a pattern of aggressive patch activity by Google’s security team, which has already fixed four actively exploited Chrome zero-days in 2026 alone.
Three critical-severity CVEs headline this release, each carrying the highest risk classification and the potential for remote code execution or process compromise.
Chrome 127 Vulnerabilities Patched
CVE-2026-7896 is an integer overflow in Chrome’s Blink rendering engine, reported on March 18, 2026, by an external researcher who earned a $43,000 bug bounty reward, underscoring the severity of this class of flaw.
An integer overflow in a browser’s core rendering engine can be exploited by an attacker through a maliciously crafted webpage, potentially leading to heap corruption and arbitrary code execution.
CVE-2026-7897 is a use-after-free bug in the Mobile component, and CVE-2026-7898 is a use-after-free flaw in Chromoting, Chrome’s remote desktop protocol layer, both identified internally by Google’s security engineers.
Use-after-free vulnerabilities occur when a program continues to reference a memory location after it has been freed, a mistake attackers can exploit to inject malicious code into the execution flow.
Beyond the critical trio, this update resolves 31 high-severity vulnerabilities spanning virtually every major subsystem of the Chrome browser.
CVE-2026-7899 – an out-of-bounds read and write in Chrome’s V8 JavaScript engine was reported by Project WhatForLunch and rewarded $55,000, the highest bug bounty payout in this release cycle.
V8 vulnerabilities are especially dangerous because JavaScript executes on nearly every website, making the attack surface universally accessible. An additional V8 flaw, CVE-2026-7902 (out-of-bounds memory access), was reported by JunYoung Park of KAIST Hacking Lab and earned $8,000.
The GPU graphics pipeline was hit particularly hard, with CVE-2026-7900 (a heap buffer overflow in ANGLE) and CVE-2026-7901 (a use-after-free in ANGLE) both rated High and carrying $16,000 bounties each.
ANGLE is Chrome’s cross-platform OpenGL translation layer used for hardware-accelerated rendering. Multiple use-after-free bugs also appear in SVG (CVE-2026-7906), the DOM (CVE-2026-7907), WebRTC (CVE-2026-7928), ServiceWorker (CVE-2026-7922).
Fullscreen (CVE-2026-7908, CVE-2026-7917), reflecting how deeply Chrome’s component architecture can be attacked from a single malicious webpage.
The update also contains an extensive list of medium-severity issues, more than 60 in total, that collectively represent significant risk if left unpatched.
Notable medium-severity CVEs include CVE-2026-7927 (type confusion in the Runtime component), CVE-2026-7933 (out-of-bounds read in WebCodecs, reported by heapracer), and CVE-2026-7936 (an object lifecycle issue in V8 reported by Christian Holler). Insufficient policy enforcement bugs affect DevTools (CVE-2026-7937, CVE-2026-7913), Extensions (CVE-2026-7952).
WebUI (CVE-2026-7946), while race conditions were found in Shared Storage (CVE-2026-7954) and Speech (CVE-2026-7960). Race conditions, though harder to exploit reliably, can still be weaponized under specific timing conditions in targeted attacks.
Low-severity vulnerabilities round out the list, totaling 22 additional CVEs, including a side-channel information leak in the Media component (CVE-2026-8017), script injection in the browser UI (CVE-2026-8021), and insufficient input validation in SSL handling (CVE-2026-7996).
This release arrives as Google’s Chrome browser remains a prime target for threat actors. Earlier in 2026, Google patched four actively exploited zero-days, including CVE-2026-5281, a use-after-free in the Dawn WebGPU component, and CVE-2026-2441, a use-after-free in the CSS component, which was confirmed to be under active exploitation in the wild.
The sheer volume of 127 fixes in Chrome 148, compared with typical cycles of 20–40, suggests that Google conducted an extensive internal security audit ahead of this release, with the majority of bugs identified by its own engineers.
Chrome 148 also introduces new features, including the Prompt API for on-device Gemini Nano AI access, lazy loading for video and audio elements, and enhanced Data Controls covering drag-and-drop operations. These expanded capabilities increase Chrome’s browser attack surface, making the security patches all the more critical.
Mitigation
Users should update Chrome as soon as possible due to the critical severity of several flaws. To manually trigger the update:
- Open Chrome and click the three-dot menu in the top-right corner
- Navigate to Help > About Google Chrome
- Chrome will automatically check for and install the latest update
- Click Relaunch to complete the installation and activate the patched version
Enterprise administrators should prioritize deploying version 148.0.7778.96/97 across all managed endpoints through their preferred patch management solution, paying special attention to systems that use Chrome Remote Desktop (Chromoting), as multiple critical and high-severity flaws directly affect that component.
Critical (3 CVEs):
| CVE ID | Component | Vulnerability Type | Bounty | Reporter |
|---|---|---|---|---|
| CVE-2026-7896 | Blink | Integer Overflow | $43,000 | c6eed09fc8b174b0f3eebedcceb1e792 |
| CVE-2026-7897 | Mobile | Use After Free | N/A | |
| CVE-2026-7898 | Chromoting | Use After Free | N/A |
High (31 CVEs)
| CVE ID | Component | Vulnerability Type | Bounty | Reporter |
|---|---|---|---|---|
| CVE-2026-7899 | V8 | Out of Bounds Read/Write | $55,000 | Project WhatForLunch |
| CVE-2026-7900 | ANGLE | Heap Buffer Overflow | $16,000 | Anonymous |
| CVE-2026-7901 | ANGLE | Use After Free | $16,000 | Syn4pse (@ret2happy) |
| CVE-2026-7902 | V8 | Out of Bounds Memory Access | $8,000 | JunYoung Park (KAIST) |
| CVE-2026-7903 | ANGLE | Integer Overflow | TBD | heesun |
| CVE-2026-7904 | Fonts | Out of Bounds Read | TBD | c6eed09fc8b174b0f3eebedcceb1e792 |
| CVE-2026-7905 | Media | Insufficient Input Validation | N/A | |
| CVE-2026-7906 | SVG | Use After Free | N/A | |
| CVE-2026-7907 | DOM | Use After Free | N/A | |
| CVE-2026-7908 | Fullscreen | Use After Free | N/A | |
| CVE-2026-7909 | ServiceWorker | Inappropriate Implementation | N/A | |
| CVE-2026-7910 | Views | Use After Free | N/A | |
| CVE-2026-7911 | Aura | Use After Free | N/A | |
| CVE-2026-7912 | GPU | Integer Overflow | N/A | |
| CVE-2026-7913 | DevTools | Insufficient Policy Enforcement | N/A | |
| CVE-2026-7914 | Accessibility | Type Confusion | N/A | |
| CVE-2026-7915 | DevTools | Insufficient Data Validation | N/A | |
| CVE-2026-7916 | InterestGroups | Insufficient Data Validation | N/A | |
| CVE-2026-7917 | Fullscreen | Use After Free | N/A | |
| CVE-2026-7918 | GPU | Use After Free | N/A | |
| CVE-2026-7919 | Aura | Use After Free | N/A | |
| CVE-2026-7920 | Skia | Use After Free | N/A | |
| CVE-2026-7921 | Passwords | Use After Free | N/A | |
| CVE-2026-7922 | ServiceWorker | Use After Free | N/A | |
| CVE-2026-7923 | Skia | Out of Bounds Write | N/A | |
| CVE-2026-7924 | Dawn | Uninitialized Use | N/A | |
| CVE-2026-7925 | Chromoting | Use After Free | N/A | |
| CVE-2026-7926 | PresentationAPI | Use After Free | TBD | Anonymous |
| CVE-2026-7927 | Runtime | Type Confusion | N/A | |
| CVE-2026-7928 | WebRTC | Use After Free | N/A | |
| CVE-2026-7929 | MediaRecording | Use After Free | N/A |
Medium (62 CVEs)
| CVE ID | Component | Vulnerability Type | Bounty | Reporter |
|---|---|---|---|---|
| CVE-2026-7930 | Cookies | Insufficient Input Validation | TBD | Satoki |
| CVE-2026-7931 | iOS | Insufficient Input Validation | TBD | Qadhafy Muhammad Tera |
| CVE-2026-7932 | Downloads | Insufficient Policy Enforcement | TBD | Povcfe (Tencent Xuanwu Lab) |
| CVE-2026-7933 | WebCodecs | Out of Bounds Read | TBD | heapracer (@heapracer) |
| CVE-2026-7934 | Popup Blocker | Insufficient Input Validation | N/A | |
| CVE-2026-7935 | Speech | Inappropriate Implementation | TBD | Qadhafy Muhammad Tera |
| CVE-2026-7936 | V8 | Object Lifecycle Issue | TBD | Christian Holler |
| CVE-2026-7937 | DevTools | Insufficient Policy Enforcement | TBD | lebr0nli (NYCU) |
| CVE-2026-7938 | CSS | Use After Free | TBD | c6eed09fc8b174b0f3eebedcceb1e792 |
| CVE-2026-7939 | SanitizerAPI | Inappropriate Implementation | TBD | s3zer0 |
| CVE-2026-7940 | V8 | Use After Free | TBD | sakana |
| CVE-2026-7941 | Mobile | Insufficient Input Validation | TBD | Adithya Kotian |
| CVE-2026-7942 | ANGLE | Integer Overflow | N/A | |
| CVE-2026-7943 | ANGLE | Insufficient Input Validation | TBD | 86ac1f1587b71893ed2ad792cd7dde32 |
| CVE-2026-7944 | Persistent Cache | Insufficient Input Validation | N/A | |
| CVE-2026-7945 | COOP | Insufficient Input Validation | N/A | |
| CVE-2026-7946 | WebUI | Insufficient Policy Enforcement | N/A | |
| CVE-2026-7947 | Network | Insufficient Input Validation | N/A | |
| CVE-2026-7948 | Chromoting | Race Condition | N/A | |
| CVE-2026-7949 | Skia | Out of Bounds Read | N/A | |
| CVE-2026-7950 | GFX | Out of Bounds Read/Write | N/A | |
| CVE-2026-7951 | WebRTC | Out of Bounds Write | TBD | soft.connect.fr |
| CVE-2026-7952 | Extensions | Insufficient Policy Enforcement | N/A | |
| CVE-2026-7953 | Omnibox | Insufficient Input Validation | N/A | |
| CVE-2026-7954 | Shared Storage | Race Condition | N/A | |
| CVE-2026-7955 | GPU | Uninitialized Use | N/A | |
| CVE-2026-7956 | Navigation | Use After Free | N/A | |
| CVE-2026-7957 | Media | Out of Bounds Write | N/A | |
| CVE-2026-7958 | ServiceWorker | Inappropriate Implementation | N/A | |
| CVE-2026-7959 | Navigation | Inappropriate Implementation | N/A | |
| CVE-2026-7960 | Speech | Race Condition | N/A | |
| CVE-2026-7961 | Permissions | Insufficient Input Validation | N/A | |
| CVE-2026-7962 | DirectSockets | Insufficient Policy Enforcement | N/A | |
| CVE-2026-7963 | ServiceWorker | Inappropriate Implementation | N/A | |
| CVE-2026-7964 | FileSystem | Insufficient Input Validation | N/A | |
| CVE-2026-7965 | DevTools | Insufficient Input Validation | N/A | |
| CVE-2026-7966 | SiteIsolation | Insufficient Input Validation | N/A | |
| CVE-2026-7967 | Navigation | Insufficient Input Validation | N/A | |
| CVE-2026-7968 | CORS | Insufficient Input Validation | N/A | |
| CVE-2026-7969 | Network | Integer Overflow | N/A | |
| CVE-2026-7970 | TopChrome | Use After Free | N/A | |
| CVE-2026-7971 | ORB | Inappropriate Implementation | N/A | |
| CVE-2026-7972 | GPU | Uninitialized Use | N/A | |
| CVE-2026-7973 | Dawn | Integer Overflow | N/A | |
| CVE-2026-7974 | Blink | Use After Free | N/A | |
| CVE-2026-7975 | DevTools | Use After Free | N/A | |
| CVE-2026-7976 | Views | Use After Free | N/A | |
| CVE-2026-7977 | Canvas | Inappropriate Implementation | N/A | |
| CVE-2026-7978 | Companion | Inappropriate Implementation | N/A | |
| CVE-2026-7979 | Media | Inappropriate Implementation | N/A | |
| CVE-2026-7980 | WebAudio | Use After Free | N/A | |
| CVE-2026-7981 | Codecs | Out of Bounds Read | N/A | |
| CVE-2026-7982 | WebCodecs | Uninitialized Use | N/A | |
| CVE-2026-7983 | Dawn | Out of Bounds Read | N/A | |
| CVE-2026-7984 | ReadingMode | Use After Free | N/A | |
| CVE-2026-7985 | GPU | Use After Free | N/A | |
| CVE-2026-7986 | Autofill | Insufficient Policy Enforcement | N/A | |
| CVE-2026-7987 | WebRTC | Use After Free | N/A | |
| CVE-2026-7988 | WebRTC | Type Confusion | N/A | |
| CVE-2026-7989 | DataTransfer | Insufficient Data Validation | N/A | |
| CVE-2026-7990 | Updater | Insufficient Input Validation | N/A | |
| CVE-2026-7991 | UI | Use After Free | N/A | |
| CVE-2026-7992 | UI | Insufficient Input Validation | N/A | |
| CVE-2026-7993 | Payments | Insufficient Input Validation | N/A | |
| CVE-2026-7994 | Chromoting | Inappropriate Implementation | N/A | |
| CVE-2026-7995 | AdFilter | Out of Bounds Read | N/A |
Low (22 CVEs)
| CVE ID | Component | Vulnerability Type | Bounty | Reporter |
|---|---|---|---|---|
| CVE-2026-7996 | SSL | Insufficient Input Validation | TBD | heesun |
| CVE-2026-7997 | Updater | Insufficient Input Validation | TBD | ochkofficial |
| CVE-2026-7998 | Dialog | Insufficient Input Validation | TBD | Tianyi Hu |
| CVE-2026-7999 | V8 | Inappropriate Implementation | TBD | Taisic Yun (Theori) |
| CVE-2026-8000 | ChromeDriver | Insufficient Input Validation | TBD | Ryan Jupp – HAAO |
| CVE-2026-8001 | Printing | Use After Free | TBD | c6eed09fc8b174b0f3eebedcceb1e792 |
| CVE-2026-8002 | Audio | Use After Free | N/A | |
| CVE-2026-8003 | TabGroups | Insufficient Input Validation | N/A | |
| CVE-2026-8004 | DevTools | Insufficient Policy Enforcement | N/A | |
| CVE-2026-8005 | Cast | Insufficient Input Validation | N/A | |
| CVE-2026-8006 | DevTools | Insufficient Policy Enforcement | N/A | |
| CVE-2026-8007 | Cast | Insufficient Input Validation | N/A | |
| CVE-2026-8008 | DevTools | Inappropriate Implementation | N/A | |
| CVE-2026-8009 | Cast | Inappropriate Implementation | N/A | |
| CVE-2026-8010 | SiteIsolation | Insufficient Input Validation | N/A | |
| CVE-2026-8011 | Search | Insufficient Policy Enforcement | N/A | |
| CVE-2026-8012 | MHTML | Inappropriate Implementation | N/A | |
| CVE-2026-8013 | FedCM | Insufficient Input Validation | N/A | |
| CVE-2026-8014 | Preload | Inappropriate Implementation | N/A | |
| CVE-2026-8015 | Media | Inappropriate Implementation | N/A | |
| CVE-2026-8016 | WebRTC | Use After Free | N/A | |
| CVE-2026-8017 | Media | Side-Channel Info Leakage | N/A | |
| CVE-2026-8018 | DevTools | Insufficient Policy Enforcement | N/A | |
| CVE-2026-8019 | WebApp | Insufficient Policy Enforcement | N/A | |
| CVE-2026-8020 | GPU | Uninitialized Use | N/A | |
| CVE-2026-8021 | UI | Script Injection | N/A | |
| CVE-2026-8022 | MHTML | Inappropriate Implementation | N/A |
FAQ
Q1: What is the most critical vulnerability in Chrome 148?
CVE-2026-7896, an integer overflow in the Blink rendering engine, is the highest-rewarded critical flaw ($43,000 bounty) and can allow remote code execution via a crafted webpage.
Q2: How many CVEs does the Chrome 148 update fix?
Chrome 148 patches 127 security vulnerabilities in total, spanning Critical, High, Medium, and Low severity ratings across dozens of browser components.
Q3: Is any Chrome 148 vulnerability actively exploited in the wild?
No active exploitation of the Chrome 148 CVEs has been publicly confirmed as of this writing, though Google internally discovered the majority of flaws, suggesting proactive threat intelligence.
Q4: Which Chrome version should users be on after this update?
Users should ensure they are running Chrome 148.0.7778.96 on Linux or 148.0.7778.96/97 on Windows and Mac to be fully protected against all 127 patched vulnerabilities.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
