Google Chrome fixes 151 flaws, including 22 critical remote code execution bugs
Google has released a major Chrome Stable update that patches 151 security vulnerabilities, including 22 critical flaws affecting desktop builds on Windows, macOS, and Linux, with related fixes also noted for Android and iOS. The patched desktop versions are 148.0.7778.216/217 for Windows, 148.0.7778.215/216 for macOS, and 148.0.7778.215 for Linux. Google and national cyber authorities urged users and administrators to update immediately, while the company temporarily withheld detailed technical information until most users receive the fixes. Google said none of the newly disclosed critical issues were known to be exploited in the wild at disclosure time.
The most serious bugs include CVE-2026-9872 in the GPU process, CVE-2026-9873 in Network, CVE-2026-9874 in Dawn, and CVE-2026-9875 in WebGL, alongside numerous flaws in ANGLE, Bluetooth, Base, Proxy, media, and other browser components. The vulnerabilities span use-after-free, out-of-bounds read and write, integer overflow, race condition, and insufficient validation weaknesses that could enable remote code execution, sandbox escape, data corruption, or broader system compromise through malicious web content. Google said many issues were found internally through fuzzing, sanitizers, and control-flow integrity tooling, while external researchers also reported multiple bugs through the bounty program, with rewards reaching $43,000.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Google releases Chrome 148 Stable update fixing 151 vulnerabilities
Google released a major Chrome Stable update that patched 151 security vulnerabilities, including 22 critical flaws, across desktop platforms and corresponding builds on other platforms. The update advanced Chrome to 148.0.7778.216/217 on Windows, 148.0.7778.215/216 on macOS, and 148.0.7778.215 on Linux, while Google withheld detailed bug information until most users update.
Google publishes Chrome 148 desktop Stable security advisory
On May 27, 2026, Google published a security advisory for Stable Channel Chrome for Desktop covering versions prior to 148.0.7778.216/217 on Windows, 148.0.7778.215/216 on Mac, and 148.0.7778.215 on Linux. The advisory disclosed a large set of 2026 CVEs across components including GPU, Network, Dawn, WebGL, ANGLE, Bluetooth, Browser, XR, and Base.
Google releases Chrome 147 Stable security update fixing 31 flaws
On April 15, 2026, Google released a Chrome Stable Channel security update bringing the browser to version 147.0.7727.101/102 on Windows and macOS and 147.0.7727.101 on Linux. The update patched 31 vulnerabilities, including five critical memory-corruption issues that could enable arbitrary code execution.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Google Patches 151 Vulnerabilities in Chrome, Including 22 Critical One’s
cybersecuritynews.com
Open sourceGoogle Chrome Security Update: Critical Flaws Fixed
securityonline.info
Open sourceGoogle Chrome 148 Security Update - TheCyberThrone
thecyberthrone.in
Open sourceGoogle Chrome security advisory (AV26-517) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceChrome Releases: Stable Channel Update for Desktop
chromereleases.googleblog.com
Open sourceCritical Chrome Vulnerabilities Let Attackers Execute Arbitrary Code - Update Now!
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Google Chrome Update Fixes 79 Flaws, Including 14 Critical Bugs
Google released a Stable Channel update for Chrome Desktop that fixes **79 vulnerabilities**, including **14 critical flaws**, in version `148.0.7778.167/168` for Windows and Mac and `148.0.7778.167` for Linux. The most severe issues include heap buffer overflows, integer overflows, use-after-free bugs, a race condition, and insufficient validation of untrusted input in components such as **WebML, Skia, Blink, ANGLE, and Payments**. Google said it is restricting technical details and proof-of-concept information until more users are patched, citing the risk that browser bugs can be weaponized for arbitrary code execution, sandbox escape, data theft, and host compromise. Government and industry advisories urged organizations to update immediately, with the Canadian Centre for Cyber Security issuing notice **AV26-458** for versions prior to `148.0.7778.167/168` on Windows and Mac and prior to `148.0.7778.167` on Linux. The latest release follows an earlier Chrome advisory, **AV26-358**, that covered versions prior to `147.0.7727.101/102`, underscoring a continuing stream of browser security fixes. Google also disclosed bug bounty awards tied to the new patch set, including **$43,000** for `CVE-2026-8509` in WebML and **$25,000** for `CVE-2026-8510` in Skia.
May 21, 2026
Google Chrome Patches 34 Flaws Including Multiple RCE Bugs
Google has released two Chrome Stable channel security updates that together patch **34 vulnerabilities**, including multiple flaws that could allow **remote code execution** if users are lured to malicious webpages. The first update fixed **26 issues**—including **three critical**, **22 high-severity**, and **one medium-severity** bugs—in components such as **WebGL**, **WebRTC**, **V8**, **Blink**, **Network**, **WebAudio**, **Dawn**, **PDFium**, **ANGLE**, and **Extensions**. Google said the most serious weaknesses involved memory corruption, including use-after-free, heap and stack buffer overflows, out-of-bounds access, integer overflows, type confusion, and insufficient validation of untrusted input. A follow-up update addressed **eight additional high-severity vulnerabilities** affecting **WebAudio**, **CSS**, **WebGL**, **Dawn**, **WebGPU**, **Fonts**, and **FedCM**, again dominated by memory-safety bugs that could lead to browser compromise. Google shipped versions `146.0.7680.153` and `146.0.7680.154` for Windows and macOS and `146.0.7680.153` for Linux in the first release, followed by `146.0.7680.164` and `146.0.7680.165` for Windows and macOS and `146.0.7680.164` for Linux in the second. The company said many flaws were found through **AddressSanitizer**, **MemorySanitizer**, and **libFuzzer**, paid a **$7,000** bounty for one WebAudio bug, and is withholding technical details until more users have updated to reduce the risk of exploit development.
Mar 24, 2026
Google Chrome 148 fixes 127 flaws, including critical Blink and use-after-free bugs
Google has released **Chrome 148** to the stable channel for Windows, macOS, Linux, and Android, patching **127 security vulnerabilities** in one of the browser’s largest security update batches. The release fixes three **Critical** flaws: `CVE-2026-7896`, an integer overflow in **Blink** that could lead to heap corruption via a crafted HTML page, plus `CVE-2026-7897` and `CVE-2026-7898`, two use-after-free bugs affecting **Mobile** and **Chromoting**. Google said no active exploitation had been reported at release, but urged users to update to **148.0.7778.96/97** immediately; Canada’s cyber agency also advised administrators to apply the update for affected desktop versions prior to those builds. The advisory also covers more than two dozen high-severity issues across major Chromium components including **V8, ANGLE, WebRTC, GPU, Skia, UI, DevTools, Printing, Audio, ChromeDriver, and AdFilter**, many involving memory-safety errors such as use-after-free, type confusion, out-of-bounds access, and insufficient validation of untrusted input. Public CVE records tied to the release include `CVE-2026-7987`, `CVE-2026-7988`, `CVE-2026-7991`, `CVE-2026-7992`, `CVE-2026-7995`, `CVE-2026-8000`, `CVE-2026-8001`, `CVE-2026-8002`, `CVE-2026-8016`, and `CVE-2026-8018`, several of which could enable code execution inside Chrome’s sandbox or, in some cases, potential sandbox escape. Google credited internal testing tools such as fuzzers and sanitizers along with external researchers, paid at least **$138,000** in bug bounties, and withheld details for some issues until most users receive fixes; because the bugs affect Chromium, downstream browsers and enterprise Chromium deployments may also need corresponding updates.
May 7, 2026