Google has officially promoted Chrome 148 to the stable channel for Windows, Mac, and Linux, rolling out version 148.0.7778.96 for Linux and 148.0.7778.96/97 for Windows and Mac.
The release stands as one of the most security-intensive updates in Chrome’s recent history, packing 127 security fixes in a single update and awarding over $100,000 in bug bounties to external researchers.
Of the 127 vulnerabilities patched, three carry a Critical severity rating, over two dozen are rated High, and a significant number fall under Medium and Low categories.
The three Critical-rated vulnerabilities represent the highest risk to users. CVE-2026-7896 is an integer overflow in the Blink rendering engine, reported on March 18 by an external researcher and earning a $43,000 bug bounty.
CVE-2026-7897 and CVE-2026-7898 are both use-after-free vulnerabilities one in the Mobile component and one in Chromoting (Chrome Remote Desktop) internally reported by Google on April 18 and April 20, respectively.
Use-after-free bugs are particularly dangerous because they allow attackers to execute arbitrary code by manipulating freed memory regions.
The High-severity bracket covers a broad attack surface across Chrome’s core components. CVE-2026-7899, an out-of-bounds read and write in Chrome’s V8 JavaScript engine, was reported by researcher Project WhatForLunch (@pjwhatforlunch) and earned the update’s single highest individual reward of $55,000.
CVE-2026-7900 and CVE-2026-7901 are a heap buffer overflow and a use-after-free bug in ANGLE, Chrome’s graphics abstraction layer, each earning $16,000 in rewards.
Additionally, CVE-2026-7902, an out-of-bounds memory access in V8, was reported by JunYoung Park of KAIST Hacking Lab and earned $8,000. Collectively, these V8 and ANGLE flaws present significant risks for drive-by exploitation through maliciously crafted web pages.
Beyond the critical and high-tier flaws, Chrome 148 addresses a wide cascade of use-after-free vulnerabilities across SVG, DOM, Fullscreen, GPU, WebRTC, Skia, Passwords, ServiceWorker, PresentationAPI, WebAudio, and more.
Medium-severity findings include an object lifecycle issue in V8 (CVE-2026-7936), type confusion in WebRTC (CVE-2026-7988), and insufficient policy enforcement in DevTools, Extensions, and DirectSockets.
Notably, CVE-2026-8022, a Low-severity inappropriate implementation in MHTML, could allow a remote attacker to leak cross-origin data via a crafted MHTML page when a user is tricked into specific UI gestures.
Google credited dozens of independent researchers for their contributions, including contributors from KAIST Hacking Lab, Tencent Security Xuanwu Lab, National Yang Ming Chiao Tung University’s Security and Systems Lab, and Theori.
According to Chrome’s advisory, many of the detected bugs were uncovered using automated fuzzing and sanitizer tools such as AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, libFuzzer, and AFL underscoring the scale of Google’s proactive security testing infrastructure.
Users across Windows, Mac, and Linux should immediately update to Chrome 148.0.7778.96/97 to remediate these vulnerabilities. Updates can be applied via Settings → Help → About Google Chrome, which triggers an automatic download and install. The next stable release, Chrome 149, is scheduled for June 2, 2026.
No Comment! Be the first one.