Google Patches 151 Chrome Vulnerabilities, Including 22 Critical Flaws

Google has released a major Chrome Stable update that fixes 151 security vulnerabilities, including 22 flaws rated critical. The Chrome Stable Channel update is rolling out now for Windows, macOS, and Linux users.

The patched desktop versions are 148.0.7778.216 and 148.0.7778.217 for Windows, 148.0.7778.215 and 148.0.7778.216 for macOS, and 148.0.7778.215 for Linux. Google says the rollout will happen over the coming days and weeks.

The update is important because several of the most serious bugs affect Chrome’s graphics, networking, WebGL, Dawn, ANGLE, UI, Bluetooth, and core browser components. These are areas attackers often target because memory bugs in a browser can lead to sandbox escapes, data corruption, or code execution.

What Google Fixed in This Chrome Update

Google says this Chrome release includes 151 security fixes. The company highlighted externally reported issues and kept some bug details restricted until most users receive the update.

The top externally reported flaws include CVE-2026-9872, an out-of-bounds write in GPU, and CVE-2026-9873, a use-after-free issue in Network. Google awarded $43,000 for each of those reports.

The NVD entry for CVE-2026-9872 describes the issue as an out-of-bounds write in Chrome’s GPU component that could allow a remote attacker to potentially perform a sandbox escape through a crafted HTML page.

Update Area	Details
Total fixes	151 security fixes
Critical flaws	22 vulnerabilities rated critical
Desktop versions	Windows 148.0.7778.216/217, macOS 148.0.7778.215/216, Linux 148.0.7778.215
Android version	Chrome 148.0.7778.215
Most notable components	GPU, Network, Dawn, WebGL, ANGLE, Skia, Bluetooth, UI, Extensions, WebView

The Most Serious Chrome Bugs

Several of the critical vulnerabilities involve memory safety problems. These include use-after-free flaws, out-of-bounds reads and writes, integer overflows, and insufficient validation of untrusted input.

Memory bugs matter because an attacker may be able to trigger them by convincing a user to open a malicious page. In a successful chain, a browser flaw can become a stepping stone toward escaping Chrome’s sandbox or running code in a more privileged context.

The Google release note lists the first 22 critical issues as CVE-2026-9872 through CVE-2026-9893. It also credits outside researchers for several early entries, while many other critical bugs were found by Google’s internal teams.

CVE	Component	Bug Type	Reporter	Reward
CVE-2026-9872	GPU	Out-of-bounds write	cinzinga	$43,000
CVE-2026-9873	Network	Use-after-free	cinzinga	$43,000
CVE-2026-9874	Dawn	Use-after-free	Anonymous	$11,000
CVE-2026-9875	WebGL	Out-of-bounds read	Anonymous	$5,000
CVE-2026-9876	WebGL	Use-after-free	happy2me	To be determined

Chrome for Android Also Received the Fixes

Google also released Chrome 148.0.7778.215 for Android. The Chrome for Android update says Android releases contain the same security fixes as their corresponding desktop releases unless Google notes otherwise.

That matters because several CVE descriptions specifically mention Chrome on Android. Mobile users should not assume they are protected only because desktop updates are rolling out.

Android users should update Chrome through Google Play as soon as the new version becomes available. Enterprise teams managing Android fleets should confirm that managed devices receive the updated build and do not stay pinned to older versions.

Why Google Is Restricting Bug Details

Google often limits access to technical bug details until most users have installed the fix. This reduces the chance that attackers can quickly turn a newly disclosed vulnerability into a working exploit against unpatched users.

The company also says it may keep details restricted when a bug exists in a third-party library that other projects use and have not yet patched. This approach gives dependent projects more time to ship fixes before exploit details become widely available.

The Chrome 148 release notes describe the broader Chrome 148 stable release across Android, ChromeOS, Linux, macOS, and Windows, while the later Stable Channel update adds the large security patch set now moving through the rollout process.

How Users Can Update Chrome

Chrome usually updates automatically, but users still need to relaunch the browser to finish installation. Anyone who keeps Chrome open for days may remain on a vulnerable build longer than expected.

Google’s official Chrome update instructions tell desktop users to open Chrome, select the three-dot menu, go to Help, choose About Google Chrome, and then relaunch after the update installs.

On Android, the update arrives through Google Play. The Android release post says Chrome 148.0.7778.215 will become available over the next few days.

• Open Chrome on desktop.
• Select the three-dot menu in the top-right corner.
• Go to Help and then About Google Chrome.
• Wait for Chrome to check for updates.
• Select Relaunch after the update finishes.
• On Android, update Chrome from Google Play when the new build appears.

What Enterprise Admins Should Do

Enterprise admins should verify Chrome versions across Windows, macOS, Linux, and Android fleets. Systems below the fixed build should move into the urgent update group, especially devices used by administrators, finance teams, engineers, and users who regularly handle sensitive accounts.

Admins should also check update policies that delay Chrome releases. A short delay may make sense for compatibility testing, but critical browser fixes need a fast exception path.

The Google Chrome help page notes that users can check their current browser version from the About Google Chrome page. Managed environments should automate this check through endpoint management tools instead of relying on users to report versions manually.

Platform	Fixed Version to Check	Admin Priority
Windows	148.0.7778.216 or 148.0.7778.217	High
macOS	148.0.7778.215 or 148.0.7778.216	High
Linux	148.0.7778.215	High
Android	148.0.7778.215	High

No Active Exploitation Mentioned, but the Risk Is Still High

Google’s advisory does not say that these vulnerabilities are being exploited in the wild. Still, the number of fixes and the severity of the top issues make this an update users should not delay.

Browser flaws move quickly from patch notes to attacker interest. Once security researchers, defenders, and threat actors can compare patched and unpatched builds, the window for exploit development can shrink.

The CVE-2026-9872 listing shows why even a single GPU flaw can matter. A crafted page may be enough to trigger a path toward sandbox escape, which is one of the more serious outcomes for a modern browser vulnerability.

What This Update Says About Browser Security

This release also shows how much of modern browser security depends on finding memory bugs before attackers do. Google credited internal teams, external researchers, and automated testing tools for catching many issues during development.

Chrome’s security work relies heavily on fuzzing, sanitizers, and control-flow integrity to detect crashes, memory corruption, and undefined behavior at scale. Those tools reduce risk, but they do not remove the need for fast patching on user systems.

The broader Chrome 148 documentation also shows how large each stable release has become. Browser updates now ship feature changes, platform support, security fixes, and enterprise-impacting changes together, which makes update management a core security task.

The Bottom Line

Google’s latest Chrome update fixes 151 vulnerabilities, including 22 critical flaws in important browser components. Users should update Chrome and relaunch it as soon as the patched version reaches their device.

Enterprise teams should treat this as a priority patch cycle. Any Chrome installation below the fixed 148.0.7778.x builds should be updated quickly, especially on systems used for privileged access, development, finance, or sensitive browsing.

FAQ