Google Chrome 148 fixes 127 flaws, including critical Blink and use-after-free bugs
Google has released Chrome 148 to the stable channel for Windows, macOS, Linux, and Android, patching 127 security vulnerabilities in one of the browser’s largest security update batches. The release fixes three Critical flaws: CVE-2026-7896, an integer overflow in Blink that could lead to heap corruption via a crafted HTML page, plus CVE-2026-7897 and CVE-2026-7898, two use-after-free bugs affecting Mobile and Chromoting. Google said no active exploitation had been reported at release, but urged users to update to 148.0.7778.96/97 immediately; Canada’s cyber agency also advised administrators to apply the update for affected desktop versions prior to those builds.
The advisory also covers more than two dozen high-severity issues across major Chromium components including V8, ANGLE, WebRTC, GPU, Skia, UI, DevTools, Printing, Audio, ChromeDriver, and AdFilter, many involving memory-safety errors such as use-after-free, type confusion, out-of-bounds access, and insufficient validation of untrusted input. Public CVE records tied to the release include CVE-2026-7987, CVE-2026-7988, CVE-2026-7991, CVE-2026-7992, CVE-2026-7995, CVE-2026-8000, CVE-2026-8001, CVE-2026-8002, CVE-2026-8016, and CVE-2026-8018, several of which could enable code execution inside Chrome’s sandbox or, in some cases, potential sandbox escape. Google credited internal testing tools such as fuzzers and sanitizers along with external researchers, paid at least $138,000 in bug bounties, and withheld details for some issues until most users receive fixes; because the bugs affect Chromium, downstream browsers and enterprise Chromium deployments may also need corresponding updates.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Google promotes Chrome 148 stable release across desktop platforms
Reporting on the rollout emphasized that Chrome 148 was one of the browser's largest recent security releases, with 127 fixes spanning Critical, High, Medium, and Low severity issues. Google said no active exploitation had been reported at release time and urged immediate updating across Windows, macOS, Linux, and Chromium-based environments.
NVD/CVE records are updated for Chrome 148 vulnerabilities
Multiple CVE records tied to the Chrome 148 release were analyzed or updated with descriptions, affected platforms, CWE classifications, CVSS scores, and references to Google's advisory and Chromium issue tracker entries. These updates included flaws such as CVE-2026-7987, CVE-2026-7988, CVE-2026-7991, CVE-2026-7992, CVE-2026-7995, CVE-2026-8000, CVE-2026-8001, CVE-2026-8002, CVE-2026-8016, and CVE-2026-8018.
Canadian Centre for Cyber Security issues advisory AV26-426
The Canadian Centre for Cyber Security published advisory AV26-426 warning that Chrome versions prior to 148.0.7778.96/97 were affected and urging users and administrators to apply Google's updates. The notice referenced Google's May 5 security advisory for Stable Channel Chrome for Desktop.
Google withholds details for some Chrome 148 flaws pending patch adoption
As part of the Chrome 148 release, Google said technical details for 21 vulnerabilities would remain restricted until a majority of users had updated. The release also credited external researchers and noted bug bounty payouts tied to the disclosed flaws.
Google publishes Chrome 148 stable desktop security update
Google published the Chrome 148 stable channel update for desktop, releasing version 148.0.7778.96 for Linux and 148.0.7778.96/97 for Windows and Mac. The advisory disclosed 127 security fixes, including three critical vulnerabilities affecting Blink, Mobile, and Chromoting.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
15 references tracked. Mallory keeps watching after this page renders.
Google Chrome 148 Released with 127 Security Fixes, Three Critical Vulnerabilities Patched
cybersecuritynews.com
Open sourceGoogle 148 Stable Channel Released with 127 Bug fixes - TheCyberThrone
thecyberthrone.in
Open sourceGoogle Chrome security advisory (AV26-426) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceCVE-2026-8016 - Google Chrome WebRTC Use-After-Free Remote Code Execution
cvefeed.io
Open sourceCVE-2026-8001 - Google Chrome After Free Vulnerability (Sandbox Escape)
cvefeed.io
Open sourceCVE-2026-8018 - Google Chrome DevTools Sandbox Escape Vulnerability
cvefeed.io
Open sourceChrome Releases: Stable Channel Update for Desktop
chromereleases.googleblog.com
Open source����� Chrome 148
opennet.me
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Google Chrome Update Fixes 79 Flaws, Including 14 Critical Bugs
Google released a Stable Channel update for Chrome Desktop that fixes **79 vulnerabilities**, including **14 critical flaws**, in version `148.0.7778.167/168` for Windows and Mac and `148.0.7778.167` for Linux. The most severe issues include heap buffer overflows, integer overflows, use-after-free bugs, a race condition, and insufficient validation of untrusted input in components such as **WebML, Skia, Blink, ANGLE, and Payments**. Google said it is restricting technical details and proof-of-concept information until more users are patched, citing the risk that browser bugs can be weaponized for arbitrary code execution, sandbox escape, data theft, and host compromise. Government and industry advisories urged organizations to update immediately, with the Canadian Centre for Cyber Security issuing notice **AV26-458** for versions prior to `148.0.7778.167/168` on Windows and Mac and prior to `148.0.7778.167` on Linux. The latest release follows an earlier Chrome advisory, **AV26-358**, that covered versions prior to `147.0.7727.101/102`, underscoring a continuing stream of browser security fixes. Google also disclosed bug bounty awards tied to the new patch set, including **$43,000** for `CVE-2026-8509` in WebML and **$25,000** for `CVE-2026-8510` in Skia.
May 21, 2026
Google Chrome fixes 151 flaws, including 22 critical remote code execution bugs
Google has released a major Chrome Stable update that patches **151 security vulnerabilities**, including **22 critical flaws** affecting desktop builds on Windows, macOS, and Linux, with related fixes also noted for Android and iOS. The patched desktop versions are `148.0.7778.216/217` for Windows, `148.0.7778.215/216` for macOS, and `148.0.7778.215` for Linux. Google and national cyber authorities urged users and administrators to update immediately, while the company temporarily withheld detailed technical information until most users receive the fixes. Google said none of the newly disclosed critical issues were known to be exploited in the wild at disclosure time. The most serious bugs include **CVE-2026-9872** in the GPU process, **CVE-2026-9873** in Network, **CVE-2026-9874** in Dawn, and **CVE-2026-9875** in WebGL, alongside numerous flaws in **ANGLE**, Bluetooth, Base, Proxy, media, and other browser components. The vulnerabilities span use-after-free, out-of-bounds read and write, integer overflow, race condition, and insufficient validation weaknesses that could enable **remote code execution**, sandbox escape, data corruption, or broader system compromise through malicious web content. Google said many issues were found internally through fuzzing, sanitizers, and control-flow integrity tooling, while external researchers also reported multiple bugs through the bounty program, with rewards reaching **$43,000**.
May 29, 2026
Google Chrome 149 fixes multiple high-severity memory corruption flaws
Google released a Stable Channel security update for Chrome Desktop, fixing a broad set of vulnerabilities in versions prior to **`149.0.7827.53/54`** on Windows and Mac and **`149.0.7827.53`** on Linux, while related records also show Chrome on Android was affected before **`149.0.7827.53`**. The Canadian Centre for Cyber Security urged users and administrators to apply the update, and public CVE entries tie the release to numerous flaws across **V8, Blink, WebRTC, Compositing, Dawn, DevTools, GPU, PDFium, Extensions, Media, TabStrip, Cast, LiveCaption, Google Lens, CSS, and USB**. Many of the issues are memory-safety bugs such as **use-after-free**, **out-of-bounds write/read**, **integer overflow**, and **type confusion**, with several carrying CVSS vectors indicating high impact to confidentiality, integrity, and availability. The patched vulnerabilities include remote code execution inside Chrome’s sandbox through crafted HTML pages or malicious PDF files, information disclosure from process memory, UI spoofing, navigation restriction bypass, privilege escalation on adjacent networks, and multiple paths that could aid sandbox escape after renderer compromise. Notable examples include **`CVE-2026-11188`** in Android USB that could potentially enable sandbox escape, **`CVE-2026-11256`** in the GPU component, **`CVE-2026-11173`** in V8, **`CVE-2026-11118`** and **`CVE-2026-11074`** in WebRTC, and several **PDFium** bugs including **`CVE-2026-11303`**, **`CVE-2026-11305`**, and **`CVE-2026-11307`**. Visible metadata from one additional report also points to **`CVE-2026-10881`**, linked to Chrome 149, the ANGLE layer, and memory corruption involving GPU buffer overflow and use-after-free.
Jun 12, 2026