Google has pushed a major Chrome Stable update that fixes 151 security flaws, including 22 critical vulnerabilities affecting core graphics, networking, media, and UI components across Windows, macOS, and Linux.
The Stable channel has been updated to version 148.0.7778.216/217 for Windows, 148.0.7778.215/216 for macOS, and 148.0.7778.215 for Linux, with the rollout scheduled over the coming days and weeks.
A full list of code changes between builds 148.0.7778.180 and 148.0.7778.217 is available in the Chromium source log. However, Google is restricting detailed bug information until most users receive the patch.
This staggered disclosure reduces the risk that attackers will weaponize the bugs against unpatched systems.
Google credits both internal teams and external security researchers for surfacing the issues during the development cycle and notes that many bugs were caught before they ever reached the stable branch.
The company again highlights its use of sanitizers, fuzzers, and control-flow integrity to detect memory corruption and undefined behavior at scale.
151 Vulnerabilities Patched in Chrome
Of the 151 vulnerabilities, 22 are rated critical, and several have already attracted substantial bug bounties.
Notable externally reported issues include an out-of-bounds write in the GPU process (CVE-2026-9872), use-after-free in Network (CVE-2026-9873), a use-after-free in Dawn (CVE-2026-9874), and an out-of-bounds read in WebGL (CVE-2026-9875), with rewards of up to 43,000 USD per report.
These flaws could enable sandbox escapes, remote code execution, or data corruption if an attacker can lure a victim to a malicious page.
The majority of critical fixes, however, come from Google’s own teams and target the graphics and rendering stack, including ANGLE, Skia, WebGL, Dawn, XR, Bluetooth, UI, and core browser infrastructure.
Issues range from use‑after‑free and heap buffer overflows to integer overflows and insufficient validation of untrusted input, all of which are classic building blocks for reliable exploits in modern browsers.
Beyond the critical bugs, Google patched a large set of high‑severity flaws across DOM, Accessibility, Site Isolation, WebCodecs, PDF/PDFium, WebRTC, Passwords, WebAppInstalls, Media, USB, and more.
These include additional use‑after‑free conditions, out‑of‑bounds reads and writes, race conditions, and uninitialized memory use, many of which were reported internally. However, some also credited researchers at Mozilla, Microsoft, OpenAI, and others.
| CVE ID | Component | Bug type | Reporter | Reward |
|---|---|---|---|---|
| CVE-2026-9872 | GPU | Out of bounds write | cinzinga | 43,000 USD |
| CVE-2026-9873 | Network | Use after free | cinzinga | 43,000 USD |
| CVE-2026-9874 | Dawn | Use after free | Anonymous | 11,000 USD |
| CVE-2026-9875 | WebGL | Out of bounds read | Anonymous | 5,000 USD |
| CVE-2026-9876 | WebGL | Use after free | happy2me | TBD |
| CVE-2026-9877 | ANGLE | Use after free | N/A | |
| CVE-2026-9878 | ANGLE | Use after free | N/A | |
| CVE-2026-9879 | ANGLE | Out of bounds write | N/A | |
| CVE-2026-9880 | WebGL | Insufficient validation of untrusted input | N/A | |
| CVE-2026-9881 | Bluetooth | Use after free | N/A | |
| CVE-2026-9882 | ANGLE | Integer overflow | N/A | |
| CVE-2026-9883 | Base | Use after free | N/A | |
| CVE-2026-9884 | Browser | Use after free | N/A | |
| CVE-2026-9885 | UI | Insufficient validation of untrusted input | N/A | |
| CVE-2026-9886 | Base | Use after free | N/A | |
| CVE-2026-9887 | Proxy | Use after free | N/A | |
| CVE-2026-9888 | WebView | Use after free | N/A | |
| CVE-2026-9889 | Dawn | Out of bounds read and write | N/A | |
| CVE-2026-9890 | XR | Use after free | N/A | |
| CVE-2026-9891 | Extensions | Use after free | N/A | |
| CVE-2026-9892 | Skia | Inappropriate implementation | N/A | |
| CVE-2026-9893 | Skia | Use after free | N/A |
Medium‑severity vulnerabilities cover further integer overflows and insufficient input validation in components such as ANGLE, Skia, USB, V8, and Headless, with smaller but still significant bounties paid out.
Google notes that many of these bugs were found using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL, reinforcing the role of automated testing in reducing browser attack surface.
As usual, some bug details will remain private if they also affect widely used third‑party libraries that have not yet shipped their own fixes.
Enterprise defenders and end users are urged to upgrade Chrome to the latest 148.0.7778.x Stable build as soon as it becomes available for their platform, or to switch to a faster release channel if they need earlier access to patches.
Google encourages anyone who discovers new issues to file them via the public bug tracker and to use the Chrome community help forum for support on update and deployment issues.
