Overview
Google has released Chrome 148 to the stable channel, delivering one of the largest security update batches in the browser’s history — patching 127 vulnerabilities across Windows, macOS, and Linux. The update includes three critical flaws and dozens of high-severity memory safety bugs affecting core browser components such as Blink, V8, ANGLE, WebRTC, GPU, and Chromoting.
The new versions are Chrome 148.0.7778.96 for Linux and 148.0.7778.96/.97 for Windows and macOS. Android receives 148.0.7778.120. No active exploitation has been reported for any of the 127 vulnerabilities fixed in this release.
Severity Breakdown
Of the 127 vulnerabilities addressed, three carry a Critical severity rating, over two dozen are rated High, and a significant number fall under Medium and Low categories. Specifically, Chrome 148 includes patches for over 30 high-severity vulnerabilities, most of which are use-after-free bugs, while more than 60 of the security defects are medium-severity flaws.
Critical Vulnerabilities
CVE-2026-7896 — Integer Overflow in Blink
The most serious externally reported issue is CVE-2026-7896, a critical integer overflow vulnerability in Blink, Chrome’s rendering engine. The flaw was reported on March 18 by an external researcher who received a $43,000 bug bounty reward from Google. It could allow remote attackers to exploit heap memory corruption via a crafted HTML page.
CVE-2026-7897 — Use-After-Free in Mobile
A use-after-free weakness affecting the Mobile component, discovered internally by Google in April 2026. These memory corruption errors remain a primary vector for remote code execution attacks, allowing malicious actors to trick users into loading specially crafted web pages that overwrite adjacent system memory to run unauthorized commands.
CVE-2026-7898 — Use-After-Free in Chromoting
Another use-after-free bug affecting Chromoting, the remote desktop component used by Chrome Remote Desktop, also discovered internally by Google researchers in April 2026. Exploitation of this class of flaw could enable sandbox bypass and full device compromise.
High-Severity Highlights
CVE-2026-7899, an out-of-bounds read and write vulnerability in the V8 engine, drew a $55,000 bounty — the single largest payout in this release.
The 30+ high-severity use-after-free bugs span ANGLE, SVG, DOM, Fullscreen, Views, Aura, GPU, Skia, Passwords, ServiceWorker, Chromoting, WebRTC, PresentationAPI, and MediaRecording. The breadth of affected components signals a systematic memory safety gap across the Chromium engine — these are not isolated findings.
Notable Medium-Severity Findings
Medium-severity findings include an object lifecycle issue in V8 (CVE-2026-7936), type confusion in WebRTC (CVE-2026-7988), and insufficient policy enforcement in DevTools, Extensions, and DirectSockets.
CVE-2026-8022, a low-severity inappropriate implementation in MHTML, could allow a remote attacker to leak cross-origin data via a crafted MHTML page when a user is tricked into specific UI gestures. Low-severity but a noteworthy cross-origin data leak primitive worth tracking in enterprise environments with sensitive intranet content.
Bug Bounty Summary
Google paid $138,000 in bug bounty rewards to external researchers, with the final amount expected to be higher as Google has yet to disclose amounts for many resolved issues. Contributing researchers include KAIST Hacking Lab, Tencent Security Xuanwu Lab, National Yang Ming Chiao Tung University’s Security and Systems Lab, and Theori.
Context: Volume Trend
The Chrome update from the previous week (Chrome 147) fixed 30 vulnerabilities. The AI-assisted vulnerability search appears to be driving significantly higher discovery rates — which ultimately improves software security but also signals the accelerating pace at which the attack surface is being systematically enumerated.
This is not noise. When Google goes from 30 fixes in one release to 127 in the next, fuzzing toolchains and AI-assisted code analysis are uncovering memory safety debt at scale. The browser engine has become a lab specimen under continuous automated security scrutiny.
Affected Scope
Since the security vulnerabilities affect the Chromium base, users of Chromium-derived browsers such as Microsoft Edge should also check if an update is now available. This advisory extends to all Chromium-based enterprise deployments.
Remediation
Update immediately: Settings → Help → About Google Chrome — triggers automatic download and install. Restart required to apply fixes.
Enterprise administrators managing Chrome via policy should force-push 148.0.7778.96/97 immediately. Do not wait for auto-rollout to complete organically across endpoints.
The next stable release, Chrome 149, is scheduled for June 2, 2026.
