Google has officially promoted Chrome 148 to the stable channel for Windows, Mac, and Linux, rolling out version 148.0.7778.96 for Linux and 148.0.7778.96/97 for Windows and Mac, one of the most security-intensive releases in the browser’s recent history, packing 127 security fixes in a single update.
Of the 127 vulnerabilities addressed, three carry a Critical severity rating, over two dozen are rated High, and a significant number fall under Medium and Low categories.
Google awarded more than $100,000 in bug bounties to external researchers for responsibly disclosing vulnerabilities, with a single researcher receiving $55,000 for reporting a High-severity out-of-bounds read and write flaw in V8.
Critical Chrome Vulnerabilities Patched
The three Critical-rated vulnerabilities pose the highest risk. CVE-2026-7896, an integer overflow in the Blink rendering engine, was reported on March 18 by an external researcher and earned a $43,000 bounty.
CVE-2026-7897 and CVE-2026-7898 are both use-after-free vulnerabilities, one in the Mobile component and one in Chromoting (Chrome Remote Desktop), both internally reported by Google on April 18 and April 20, respectively.
Use-after-free bugs are particularly dangerous as they can allow attackers to execute arbitrary code by manipulating freed memory regions.
The High-severity bracket covers a broad attack surface. CVE-2026-7899, an out-of-bounds read and write in Chrome’s V8 JavaScript engine, was reported by Project WhatForLunch (@pjwhatforlunch) and earned the update’s highest individual reward of $55,000.
CVE-2026-7900 and CVE-2026-7901 are heap buffer overflow and use-after-free bugs in ANGLE (the graphics abstraction layer), each earning $16,000 in rewards.
Additionally, CVE-2026-7902, an out-of-bounds memory access in V8, was reported by JunYoung Park of KAIST Hacking Lab and earned $8,000. Collectively, these V8 and ANGLE flaws represent significant risks for drive-by exploitation through maliciously crafted web pages.
Beyond the top-tier flaws, Chrome 148 addresses a cascade of use-after-free vulnerabilities across SVG, DOM, Fullscreen, GPU, WebRTC, Skia, Passwords, ServiceWorker, PresentationAPI, WebAudio, and more.
Medium-severity findings also include an object lifecycle issue in V8 (CVE-2026-7936), type confusion in WebRTC (CVE-2026-7988), and insufficient policy enforcement in DevTools, Extensions, and DirectSockets.
Notably, CVE-2026-8022, a Low-severity inappropriate implementation in MHTML, could allow a remote attacker to leak cross-origin data via a crafted MHTML page when a user is tricked into specific UI gestures.
Google credited dozens of independent researchers, including contributors from KAIST Hacking Lab, Tencent Security Xuanwu Lab, National Yang Ming Chiao Tung University’s Security and Systems Lab, and Theori.
According to Chrome’s advisory, the detected bugs were uncovered using automated fuzzing and sanitizer tools such as AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, libFuzzer, and AFL, underscoring the scale of Google’s proactive security testing infrastructure.
Users across Windows, Mac, and Linux should immediately update to Chrome 148.0.7778.96/97 to remediate these vulnerabilities.
The next stable release, Chrome 149, is scheduled for June 2, 2026. Users can update via Settings → Help → About Google Chrome, which triggers an automatic download and install.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
