Google Chrome Update Fixes 79 Flaws, Including 14 Critical Bugs
Google released a Stable Channel update for Chrome Desktop that fixes 79 vulnerabilities, including 14 critical flaws, in version 148.0.7778.167/168 for Windows and Mac and 148.0.7778.167 for Linux. The most severe issues include heap buffer overflows, integer overflows, use-after-free bugs, a race condition, and insufficient validation of untrusted input in components such as WebML, Skia, Blink, ANGLE, and Payments. Google said it is restricting technical details and proof-of-concept information until more users are patched, citing the risk that browser bugs can be weaponized for arbitrary code execution, sandbox escape, data theft, and host compromise.
Government and industry advisories urged organizations to update immediately, with the Canadian Centre for Cyber Security issuing notice AV26-458 for versions prior to 148.0.7778.167/168 on Windows and Mac and prior to 148.0.7778.167 on Linux. The latest release follows an earlier Chrome advisory, AV26-358, that covered versions prior to 147.0.7727.101/102, underscoring a continuing stream of browser security fixes. Google also disclosed bug bounty awards tied to the new patch set, including $43,000 for CVE-2026-8509 in WebML and $25,000 for CVE-2026-8510 in Skia.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Debian issues DSA 6287-1 for Chromium security update
On 2026-05-21, Debian published security advisory DSA 6287-1 announcing another Chromium security update. This represents a new downstream packaging and release of Chromium security fixes by Debian following prior advisories.
Debian issues DSA 6273-1 for Chromium security update
On 2026-05-15, Debian published security advisory DSA 6273-1 announcing a Chromium security update. The advisory reflects Debian's downstream packaging of fixes for Chromium vulnerabilities following the upstream Chrome 148 security release.
Google withholds exploit details and highlights bug bounty awards
In reporting on the May 2026 Chrome 148 update, Google withheld detailed exploit information and proof-of-concept code to reduce immediate weaponization risk while patches are deployed. The company also disclosed bug bounty payouts including $43,000 for CVE-2026-8509 in WebML and $25,000 for CVE-2026-8510 in Skia.
Google releases Chrome 148 update fixing 79 vulnerabilities
On 2026-05-12, Google published a new Chrome Stable Channel security advisory covering versions prior to 148.0.7778.167/168 on Windows and Mac and prior to 148.0.7778.167 on Linux. The update patched 79 vulnerabilities, including 14 rated critical, across components such as WebML, Skia, Blink, ANGLE, and Payments.
Google issues Chrome Stable Channel security advisory for version 147
On 2026-04-15, Google published a security advisory addressing vulnerabilities in Chrome Stable Channel for Desktop affecting versions prior to 147.0.7727.101/102 on Windows and Mac and prior to 147.0.7727.101 on Linux. The Canadian Centre for Cyber Security subsequently urged users and administrators to review the advisory and apply updates.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
[SECURITY] [DSA 6287-1] chromium security update
lists.debian.org
Open source79 Chrome Vulnerabilities Patched, Including 14 Critical One’s - Update Now!
cybersecuritynews.com
Open source[SECURITY] [DSA 6273-1] chromium security update
lists.debian.org
Open sourceGoogle Chrome security advisory (AV26-458) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceGoogle Chrome security advisory (AV26-358) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Google Chrome fixes 151 flaws, including 22 critical remote code execution bugs
Google has released a major Chrome Stable update that patches **151 security vulnerabilities**, including **22 critical flaws** affecting desktop builds on Windows, macOS, and Linux, with related fixes also noted for Android and iOS. The patched desktop versions are `148.0.7778.216/217` for Windows, `148.0.7778.215/216` for macOS, and `148.0.7778.215` for Linux. Google and national cyber authorities urged users and administrators to update immediately, while the company temporarily withheld detailed technical information until most users receive the fixes. Google said none of the newly disclosed critical issues were known to be exploited in the wild at disclosure time. The most serious bugs include **CVE-2026-9872** in the GPU process, **CVE-2026-9873** in Network, **CVE-2026-9874** in Dawn, and **CVE-2026-9875** in WebGL, alongside numerous flaws in **ANGLE**, Bluetooth, Base, Proxy, media, and other browser components. The vulnerabilities span use-after-free, out-of-bounds read and write, integer overflow, race condition, and insufficient validation weaknesses that could enable **remote code execution**, sandbox escape, data corruption, or broader system compromise through malicious web content. Google said many issues were found internally through fuzzing, sanitizers, and control-flow integrity tooling, while external researchers also reported multiple bugs through the bounty program, with rewards reaching **$43,000**.
May 29, 2026
Google Chrome 148 fixes 127 flaws, including critical Blink and use-after-free bugs
Google has released **Chrome 148** to the stable channel for Windows, macOS, Linux, and Android, patching **127 security vulnerabilities** in one of the browser’s largest security update batches. The release fixes three **Critical** flaws: `CVE-2026-7896`, an integer overflow in **Blink** that could lead to heap corruption via a crafted HTML page, plus `CVE-2026-7897` and `CVE-2026-7898`, two use-after-free bugs affecting **Mobile** and **Chromoting**. Google said no active exploitation had been reported at release, but urged users to update to **148.0.7778.96/97** immediately; Canada’s cyber agency also advised administrators to apply the update for affected desktop versions prior to those builds. The advisory also covers more than two dozen high-severity issues across major Chromium components including **V8, ANGLE, WebRTC, GPU, Skia, UI, DevTools, Printing, Audio, ChromeDriver, and AdFilter**, many involving memory-safety errors such as use-after-free, type confusion, out-of-bounds access, and insufficient validation of untrusted input. Public CVE records tied to the release include `CVE-2026-7987`, `CVE-2026-7988`, `CVE-2026-7991`, `CVE-2026-7992`, `CVE-2026-7995`, `CVE-2026-8000`, `CVE-2026-8001`, `CVE-2026-8002`, `CVE-2026-8016`, and `CVE-2026-8018`, several of which could enable code execution inside Chrome’s sandbox or, in some cases, potential sandbox escape. Google credited internal testing tools such as fuzzers and sanitizers along with external researchers, paid at least **$138,000** in bug bounties, and withheld details for some issues until most users receive fixes; because the bugs affect Chromium, downstream browsers and enterprise Chromium deployments may also need corresponding updates.
May 7, 2026
Chrome Desktop Update Fixes 28 Flaws Including Critical Memory Corruption Bugs
Google released a Stable Channel update for Chrome Desktop, upgrading Windows and Mac to **149.0.7827.114/.115** and Linux to **149.0.7827.114**, to address **28 security vulnerabilities** across components including Core, DigitalCredentials, Accessibility, GPU, WebMIDI, Network, DevTools, Extensions, Video, and Views. The release includes **five critical flaws**, notably multiple use-after-free bugs, a heap buffer overflow in GPU, and insufficient validation of untrusted input in Accessibility; Google said technical details will remain restricted until most users are patched or dependent third-party fixes are available. Published CVE records tied to the release highlight several high-severity issues: **`CVE-2026-12013`**, a Chrome Media use-after-free on Windows that could be triggered through a crafted HTML page; **`CVE-2026-12014`**, a Cast use-after-free that could enable a sandbox escape from the local network segment via malicious network traffic; **`CVE-2026-12016`**, a DevTools flaw that could allow sandbox escape after renderer compromise; and **`CVE-2026-12018`**, a Mojo issue that could lead to OS-level privilege escalation on Windows through a malicious file. The Canadian Centre for Cyber Security urged users and administrators running versions prior to the patched builds to review Google’s advisory and apply updates as they become available.
Jun 12, 2026