Overview
Google has pushed a major Chrome Stable update fixing 151 security flaws, including 22 critical vulnerabilities affecting core graphics, networking, media, and UI components across Windows, macOS, and Linux. According to Google, none of these vulnerabilities are being exploited in the wild yet.
Affected Versions / Fixed Versions
The Stable channel has been updated to version 148.0.7778.216/217 for Windows, 148.0.7778.215/216 for macOS, and 148.0.7778.215 for Linux, with the rollout scheduled over the coming days and weeks. Google has also released Chrome for Android 148.0.7778.215 and Chrome for iOS 149.0.7827.45.
Vulnerability Breakdown
The 22 critical vulnerabilities are tracked as CVE-2026-9872 through CVE-2026-9893. A further 123 are classified as high risk, with the remaining six classified as medium risk.
Use-after-free (UAF) vulnerabilities account for more than half of everything, totalling 66 of the 151 flaws. A total of 35 vulnerabilities have been fixed in the ANGLE OpenGL library alone, four of which are classified as critical.
Notable Critical CVEs (Externally Reported):
Notable externally reported issues include an out-of-bounds write in the GPU process (CVE-2026-9872), use-after-free in Network (CVE-2026-9873), use-after-free in Dawn (CVE-2026-9874), and an out-of-bounds read in WebGL (CVE-2026-9875), with bug bounty rewards of up to $43,000 per report.
Affected Components (Critical Severity):
The majority of critical fixes target the graphics and rendering stack, including ANGLE, Skia, WebGL, Dawn, XR, Bluetooth, UI, and core browser infrastructure. Issues range from use-after-free and heap buffer overflows to integer overflows and insufficient validation of untrusted input — all classic building blocks for reliable exploits in modern browsers.
Exploitation Impact
These flaws could enable sandbox escapes, remote code execution, or data corruption if an attacker can lure a victim to a malicious page. The attack surface here is a single browser tab — no credentials, no network access, no prior foothold required. Drive-by exploitation via malicious web pages remains the primary delivery mechanism for Chrome-class vulnerabilities.
Disclosure Policy
Google is restricting detailed bug information until most users receive the patch. This staggered disclosure reduces the risk that attackers will weaponize the bugs against unpatched systems..
Remediation
Update Chrome immediately via Menu → Help → About Google Chrome. Auto-update will handle most managed environments, but version drift in enterprise software catalogs is a real risk — verify deployed versions against 148.0.7778.216/217 (Windows) or equivalent across all endpoints.
- Chrome for Android: 148.0.7778.215
- Chrome for iOS: 149.0.7827.45
- Extended Stable (Windows/macOS): 148.0.7778.217
