Google Chrome 127 Vulnerabilities Patched in Latest Release
Key Takeaways Google has released a critical security update for Chrome, version 148.0.7778.96/97, addressing 127 vulnerabilities. The update includes patches for three Critical-rated flaws and over...
Key Takeaways
- Google has released a critical security update for Chrome, version 148.0.7778.96/97, addressing 127 vulnerabilities.
- The update includes patches for three Critical-rated flaws and over two dozen High-severity issues affecting Windows, Mac, and Linux users.
- Vulnerabilities include integer overflows, use-after-free conditions, and out-of-bounds memory access across various Chrome components.
- Users are strongly advised to update their Chrome browser immediately to mitigate significant security risks.
Extensive Security Update Lands for Google Chrome, Patching 127 Vulnerabilities
Google has rolled out a substantial security update for its Chrome browser, promoting version 148 to the stable channel across Windows, Mac, and Linux platforms. This release, identified as 148.0.7778.96 for Linux and 148.0.7778.96/97 for Windows and Mac, stands out as one of the most comprehensive security patches in Chrome’s recent history, incorporating a staggering 127 security fixes.
Table Of Content
The vulnerabilities addressed span a wide range of severity levels. Among the 127 resolved issues, three are classified as Critical, more than two dozen are rated High, and numerous others fall into the Medium and Low categories.
In recognition of responsible disclosure, Google distributed over $100,000 in bug bounties to external security researchers. A notable individual payout of $55,000 was awarded to a single researcher for reporting a High-severity out-of-bounds read and write flaw within the V8 JavaScript engine.
Critical Vulnerabilities Addressed in Chrome 148
The three Critical-rated vulnerabilities represent the most severe risks. The first, CVE-2026-7896, is an integer overflow flaw discovered in the Blink rendering engine. An external researcher reported this vulnerability on March 18, leading to a $43,000 bounty.
The other two critical issues, CVE-2026-7897 and CVE-2026-7898, are both use-after-free vulnerabilities. One affects the Mobile component, while the other is found in Chromoting (Chrome Remote Desktop). Google’s internal teams reported these on April 18 and April 20, respectively.
Use-after-free vulnerabilities are particularly dangerous due to their potential to enable arbitrary code execution. Attackers can exploit these flaws by manipulating memory regions that have been freed but are still referenced by the program.
High-Severity Flaws and Research Contributions
The High-severity category encompasses a significant number of vulnerabilities impacting various attack surfaces. CVE-2026-7899, an out-of-bounds read and write flaw within Chrome’s V8 JavaScript engine, was reported by Project WhatForLunch (@pjwhatforlunch) and received the highest individual reward of $55,000 for this update.
Additionally, CVE-2026-7900, a heap buffer overflow, and CVE-2026-7901, a use-after-free bug, were identified in ANGLE, the graphics abstraction layer. Each of these earned a $16,000 reward.
Another notable High-severity issue is CVE-2026-7902, an out-of-bounds memory access in V8, reported by JunYoung Park from KAIST Hacking Lab, which garnered an $8,000 bounty. These flaws in V8 and ANGLE pose substantial risks, enabling potential drive-by exploitation through malformed web pages.
Broader Spectrum of Patched Vulnerabilities
Beyond the critical and high-severity issues, Chrome 148 addresses a multitude of use-after-free vulnerabilities impacting components such as SVG, DOM, Fullscreen, GPU, WebRTC, Skia, Passwords, ServiceWorker, PresentationAPI, and WebAudio, among others.
Medium-severity findings in this release include CVE-2026-7936, an object lifecycle issue in V8, CVE-2026-7988, a type confusion in WebRTC, and instances of insufficient policy enforcement across DevTools, Extensions, and DirectSockets.
Even a Low-severity flaw, CVE-2026-8022, an inappropriate implementation in MHTML, is significant. This vulnerability could allow a remote attacker to exfiltrate cross-origin data if a user is manipulated into performing specific UI gestures on a specially crafted MHTML page.
Google extended credit to dozens of independent researchers and organizations, including KAIST Hacking Lab, Tencent Security Xuanwu Lab, National Yang Ming Chiao Tung University’s Security and Systems Lab, and Theori, for their contributions.
According to Chrome’s official advisory, many of these bugs were identified through Google’s extensive proactive security testing infrastructure, utilizing automated fuzzing and sanitizer tools such as AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, libFuzzer, and AFL.
The next stable release, Chrome 149, is anticipated on June 2, 2026.
What You Should Do
- Update Immediately: All users on Windows, Mac, and Linux should update their Chrome browser to version 148.0.7778.96/97 without delay to apply these crucial security fixes.
- Verify Version: To update, navigate to Settings → Help → About Google Chrome. The browser will automatically check for and install the latest version.
- Restart Browser: Ensure you restart Chrome after the update to finalize the installation of the patches.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.