Google Chrome 148 fixes 127 security flaws, including three critical bugs

Google has released Chrome 148 for Windows, Mac, and Linux with 127 security fixes, including three critical vulnerabilities. Users should update as soon as the release reaches their device.

The stable desktop update brings Chrome to version 148.0.7778.96 on Linux and 148.0.7778.96 or 148.0.7778.97 on Windows and Mac. Google says the update will roll out over the coming days and weeks.

The most serious bugs affect Blink, Mobile, and Chromoting. Chrome also received fixes for high-severity issues in V8, ANGLE, SVG, DOM, GPU, WebRTC, Skia, Passwords, ServiceWorker, and other browser components.

Why Chrome users should update now

Browser bugs can be especially dangerous because attackers may only need to lure a user to a malicious page. Memory corruption flaws in rendering, JavaScript, graphics, and media components can create paths to crashes, data exposure, or code execution.

Google has not published full technical details for many of the bugs yet. The company commonly restricts bug details until most users receive the patch, which reduces the chance of attackers using the information too early.

There is no active exploitation warning in Google’s Chrome 148 desktop advisory. Still, the number and severity of fixes make this an important update for home users, enterprises, developers, and managed fleets.

At a glance

Detail	Information
Release	Google Chrome 148 stable channel
Desktop platforms	Windows, Mac, and Linux
Linux version	148.0.7778.96
Windows and Mac version	148.0.7778.96 or 148.0.7778.97
Total security fixes	127
Critical flaws highlighted	3
Highest listed bounty	$55,000 for a V8 out-of-bounds read and write bug

The three critical Chrome flaws

The first critical issue is CVE-2026-7896, an integer overflow in Blink. Blink is Chrome’s rendering engine, which means bugs in this area can affect how the browser processes web content.

The second critical issue is CVE-2026-7897, a use-after-free flaw in Chrome’s Mobile component. The third is CVE-2026-7898, a use-after-free flaw in Chromoting, the technology behind Chrome Remote Desktop.

Use-after-free bugs happen when software keeps using memory after it has already been released. Attackers often try to exploit this class of bug to corrupt memory and potentially run code in unexpected ways.

High-severity bugs also hit V8 and ANGLE

One of the most notable high-severity fixes is CVE-2026-7899, an out-of-bounds read and write issue in V8. V8 is Chrome’s JavaScript engine, so flaws there can carry serious risk when users visit hostile or compromised websites.

Google listed a $55,000 reward for CVE-2026-7899, the highest individual bounty shown in the advisory. The bug was reported by Project WhatForLunch.

Chrome 148 also fixes two high-severity ANGLE vulnerabilities: CVE-2026-7900, a heap buffer overflow, and CVE-2026-7901, a use-after-free issue. ANGLE helps Chrome handle graphics across platforms, so security problems in this area can affect web content that uses graphics features.

Key vulnerabilities fixed in Chrome 148

CVE	Severity	Component	Issue type
CVE-2026-7896	Critical	Blink	Integer overflow
CVE-2026-7897	Critical	Mobile	Use after free
CVE-2026-7898	Critical	Chromoting	Use after free
CVE-2026-7899	High	V8	Out-of-bounds read and write
CVE-2026-7900	High	ANGLE	Heap buffer overflow
CVE-2026-7901	High	ANGLE	Use after free
CVE-2026-7902	High	V8	Out-of-bounds memory access

Chrome 148 covers a wide attack surface

The update does not focus on one narrow part of Chrome. Google listed fixes across browser rendering, graphics, media, permissions, downloads, extensions, developer tools, networking, site isolation, and browser UI.

That broad coverage matters because modern browsers are complex application platforms. Chrome handles JavaScript, video, audio, WebRTC, graphics acceleration, password storage, service workers, extensions, file downloads, and remote access features.

Many of the fixed issues were found through Google’s security testing systems, including sanitizers and fuzzing tools. These tools help find memory safety bugs before they reach attackers.

How to update Google Chrome

• Open Google Chrome on your computer.
• Click the three-dot menu in the top-right corner.
• Go to Help.
• Select About Google Chrome.
• Wait for Chrome to check for updates.
• Click Relaunch when the update finishes installing.

If the Relaunch button does not appear, Chrome may already be up to date. Linux users may also need to update Chrome through their system package manager, depending on how the browser was installed.

Enterprise administrators should check managed update policies, verify rollout status, and make sure users restart the browser. Chrome cannot fully apply the update until the browser restarts.

What users should do after updating

After Chrome restarts, users can return to the About Google Chrome page and confirm the version number. Windows and Mac users should see 148.0.7778.96 or 148.0.7778.97 when the update has landed.

Users should also update other Chromium-based browsers when vendors publish matching security releases. Vulnerabilities in shared Chromium components can affect browsers beyond Google Chrome.

For organizations, this release should go into the normal emergency patch review queue because it fixes critical memory safety bugs and a large number of high and medium severity issues.

FAQ