Critical Chrome Flaws Allow Remote Code Execution Attacks
Google has issued an urgent security update for its Chrome browser. The patch addresses 16 vulnerabilities, including two rated Critical that could allow attackers to execute arbitrary code remotely...
Google has issued an urgent security update for its Chrome browser. The patch addresses 16 vulnerabilities, including two rated Critical that could allow attackers to execute arbitrary code remotely on affected systems.
Table Of Content
The Stable channel has been updated to 148.0.7778.178/179 for Windows and Mac, and 148.0.7778.178 for Linux, with the rollout expected to complete over the coming days.
Critical Chrome Vulnerabilities Patched
The two most severe flaws both carry a Critical severity rating and were reported internally by Google on April 20, 2026:
- CVE-2026-9111 — A Use-After-Free vulnerability in WebRTC, which could be exploited to corrupt memory and achieve remote code execution through a maliciously crafted web page.
- CVE-2026-9110 — An Inappropriate Implementation flaw in the UI layer, which could allow attackers to bypass security restrictions or spoof browser interface elements.
Use-after-free bugs are particularly dangerous because they allow threat actors to manipulate freed memory regions, often leading to full system compromise when successfully chained with other exploits.
High-Severity Vulnerabilities Patched
Beyond the critical bugs, Google patched nine High-severity flaws spanning multiple components:
| CVE | Type | Component | Bounty |
|---|---|---|---|
| CVE-2026-9112 | Use-After-Free | GPU | $11,000 |
| CVE-2026-9113 | Out-of-Bounds Read | GPU | $3,000 |
| CVE-2026-9114 | Use-After-Free | QUIC | N/A |
| CVE-2026-9115 | Insufficient Policy Enforcement | Service Worker | N/A |
| CVE-2026-9116 | Insufficient Policy Enforcement | ServiceWorker | N/A |
| CVE-2026-9117 | Type Confusion | GFX | N/A |
| CVE-2026-9118 | Use-After-Free | XR | N/A |
| CVE-2026-9119 | Heap Buffer Overflow | WebRTC | N/A |
| CVE-2026-9120 | Use-After-Free | WebRTC | N/A |
CVE-2026-9112 and CVE-2026-9113 were responsibly disclosed by an external researcher identified as c6eed09fc8b174b0f3eebedcceb1e792, earning a combined $14,000 in bug bounties.
Other Medium-Severity Fixes
Google also patched five Medium-severity issues, including out-of-bounds reads in GPU (CVE-2026-9121, CVE-2026-9122 — credited to David Korczynski of Adalogics and the same external researcher), a heap buffer overflow in Chromecast (CVE-2026-9123), insufficient input validation (CVE-2026-9124), and a use-after-free in DOM (CVE-2026-9126).
Mitigations
Google notes that bug details will remain restricted until most users have received the patch, reducing the risk of exploitation during the rollout window.
Users and administrators should take the following steps immediately:
- Navigate to chrome://settings/help and confirm the browser version is 148.0.7778.178 or higher
- Restart Chrome to apply any pending updates
- Enterprise administrators should force-deploy the update via policy management tools
- Monitor Chrome release notes and CISA advisories for any active exploitation indicators
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.