Google Chrome 148 Released with Fix for 127 Security

Google has officially promoted Chrome 148 to the stable channel for Windows, Mac, and Linux. This update rolls out as version 148.0.7778.96 for Linux and 148.0.7778.96/97 for Windows and Mac. It stands as one of the browser’s most security-intensive releases in recent history, packing 127 security fixes into a single update.

Of the 127 vulnerabilities addressed, three carry a Critical severity rating, over two dozen are rated High, and a significant number fall under Medium and Low categories.

Google awarded more than $100,000 in bug bounties to external researchers for responsibly disclosing vulnerabilities, with a single researcher receiving $55,000 for reporting a High-severity out-of-bounds read and write flaw in V8.

Critical Chrome Vulnerabilities Patched

The three Critical-rated vulnerabilities pose the highest risk. CVE-2026-7896, an integer overflow in the Blink rendering engine, was reported on March 18 by an external researcher and earned a $43,000 bounty.

CVE-2026-7897 and CVE-2026-7898 are both use-after-free vulnerabilities, one in the Mobile component and one in Chromoting (Chrome Remote Desktop), both internally reported by Google on April 18 and April 20, respectively.

Use-after-free bugs are particularly dangerous as they can allow attackers to execute arbitrary code by manipulating freed memory regions.

The High-severity bracket covers a broad attack surface. CVE-2026-7899, an out-of-bounds read and write in Chrome’s V8 JavaScript engine, was reported by Project WhatForLunch (@pjwhatforlunch) and earned the update’s highest individual reward of $55,000.

CVE-2026-7900 and CVE-2026-7901 are heap buffer overflow and use-after-free bugs in ANGLE (the graphics abstraction layer), each earning $16,000 in rewards.

Additionally, CVE-2026-7902, an out-of-bounds memory access in V8, was reported by JunYoung Park of KAIST Hacking Lab and earned $8,000. Collectively, these V8 and ANGLE flaws represent significant risks for drive-by exploitation through maliciously crafted web pages.

Beyond the top-tier flaws, Chrome 148 addresses a cascade of use-after-free vulnerabilities across SVG, DOM, Fullscreen, GPU, WebRTC, Skia, Passwords, ServiceWorker, PresentationAPI, WebAudio, and more.

Medium-severity findings also include an object lifecycle issue in V8 (CVE-2026-7936), type confusion in WebRTC (CVE-2026-7988), and insufficient policy enforcement in DevTools, Extensions, and DirectSockets.

Notably, CVE-2026-8022, a Low-severity inappropriate implementation in MHTML, could allow a remote attacker to leak cross-origin data via a crafted MHTML page when a user is tricked into specific UI gestures.

Google credited dozens of independent researchers, including contributors from KAIST Hacking Lab, Tencent Security Xuanwu Lab, National Yang Ming Chiao Tung University’s Security and Systems Lab, and Theori.

According to Chrome’s advisory, the detected bugs were uncovered using automated fuzzing and sanitizer tools such as AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, libFuzzer, and AFL, underscoring the scale of Google’s proactive security testing infrastructure.

Users across Windows, Mac, and Linux should immediately update to Chrome 148.0.7778.96/97 to remediate these vulnerabilities.

The next stable release, Chrome 149, is scheduled for June 2, 2026. Users can update via Settings → Help → About Google Chrome, which triggers an automatic download and install.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.