Google Chrome 148 Released with 127 Security Fixes

Google has rolled out Chrome 148 to the stable channel for Windows, macOS, and Linux, delivering one of the browser’s most security-focused updates in recent months. The new release, version 148.0.7778.96 for Linux and 148.0.7778.96/97 for Windows and Mac, resolves a total of 127 security vulnerabilities.

Among the fixed issues, three vulnerabilities are classified as Critical, while more than two dozen are rated High severity. The remaining flaws fall under Medium and Low severity categories.

Google also awarded more than $100,000 in bug bounty rewards to external researchers who responsibly reported several of these vulnerabilities. One researcher received $55,000 for identifying a High-severity out-of-bounds read and write issue in Chrome’s V8 JavaScript engine.

The most severe fixes include CVE-2026-7896, an integer overflow vulnerability in the Blink rendering engine, which earned a $43,000 reward. Two additional Critical flaws, CVE-2026-7897 and CVE-2026-7898, are use-after-free vulnerabilities affecting the Mobile component and Chromoting, also known as Chrome Remote Desktop.Use-after-free vulnerabilities are considered especially dangerous because they may allow attackers to manipulate memory and potentially execute arbitrary code.

The High-severity vulnerabilities cover several important browser components. CVE-2026-7899, an out-of-bounds read and write flaw in V8, received the highest individual reward of this update. Other notable issues include heap buffer overflow and use-after-free vulnerabilities in ANGLE, as well as additional memory access problems in V8.

Chrome 148 also fixes multiple use-after-free vulnerabilities across components such as SVG, DOM, Fullscreen, GPU, WebRTC, Skia, Passwords, ServiceWorker, PresentationAPI, and WebAudio. Medium-severity issues include object lifecycle problems in V8, type confusion in WebRTC, and insufficient policy enforcement in DevTools, Extensions, and DirectSockets.

One Low-severity issue in MHTML could allow a remote attacker to leak cross-origin data through a specially crafted MHTML page if a user is tricked into performing specific interface actions.

Google credited several independent researchers and security teams, including KAIST Hacking Lab, Tencent Security Xuanwu Lab, National Yang Ming Chiao Tung University’s Security and Systems Lab, and Theori. Many of the bugs were identified using automated fuzzing and sanitizer tools such as AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, libFuzzer, and AFL.

Users on Windows, macOS, and Linux are strongly advised to update Chrome as soon as possible. The update can be installed by navigating to Settings → Help → About Google Chrome, which will automatically check for and apply the latest version.

• Organizations should centrally monitor browser updates and apply critical security patches without delay.

• Users should be made aware that using outdated browsers increases the risk of exploitation through malicious web pages.

• Endpoint security solutions, EDR, and web security layers should be used to provide additional protection against browser-based attacks.

• IT teams should regularly track critical CVE announcements and prepare rapid response plans for affected systems.

For detailed information, you can contact our experts at info@zerosecond.ae.