Google Patches 79 Chrome Vulnerabilities, Including 14 Critical Flaws
6 min. read 
Published on
Google has released a major Chrome security update that fixes 79 vulnerabilities, including 14 critical flaws affecting browser components such as WebML, Skia, UI, FileSystem, HID, Blink, ANGLE, Payments, Tab Groups, and Downloads.
The desktop update moves Chrome to version 148.0.7778.167/168 for Windows and Mac, and 148.0.7778.167 for Linux. Google also released Chrome 148.0.7778.167 for Android with the same security fixes as the corresponding desktop release, unless otherwise noted.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Users and administrators should install the update as soon as possible. Google has not announced active exploitation for these specific bugs, but browser vulnerabilities can quickly become targets once security details become public.
What Google fixed in Chrome 148
The May 12 Chrome update addresses a large group of memory-safety and input-validation flaws. These issues can affect how Chrome handles web content, browser UI, files, downloads, graphics, and device-related features.
Google said access to bug details may stay restricted until most users receive the fix. This limits the chance that attackers can quickly study the patches and turn them into working exploits before users update.
The most serious publicly listed issue is CVE-2026-8509, a critical heap buffer overflow in Chrome’s WebML component. Google awarded $43,000 to the external researcher who reported it.
| Update detail | Information |
|---|---|
| Release date | May 12, 2026 |
| Total security fixes | 79 |
| Critical vulnerabilities | 14 |
| Windows and Mac version | 148.0.7778.167/168 |
| Linux version | 148.0.7778.167 |
| Android version | 148.0.7778.167 |
| Highest listed bounty | $43,000 for CVE-2026-8509 |
The critical Chrome vulnerabilities
The 14 critical bugs listed by Google include heap buffer overflows, integer overflows, use-after-free flaws, object lifecycle issues, insufficient validation, and a race condition.
Several of these bug classes can lead to memory corruption. In a browser, memory corruption bugs can become serious because attackers may try to trigger them through a crafted web page.
Google’s public advisory lists the following critical issues fixed in this Chrome 148 update.
| CVE | Component | Issue type |
|---|---|---|
| CVE-2026-8509 | WebML | Heap buffer overflow |
| CVE-2026-8510 | Skia | Integer overflow |
| CVE-2026-8511 | UI | Use after free |
| CVE-2026-8512 | FileSystem | Use after free |
| CVE-2026-8513 | Input | Use after free |
| CVE-2026-8514 | Aura | Use after free |
| CVE-2026-8515 | HID | Use after free |
| CVE-2026-8516 | DataTransfer | Insufficient validation of untrusted input |
| CVE-2026-8517 | WebShare | Object lifecycle issue |
| CVE-2026-8518 | Blink | Use after free |
| CVE-2026-8519 | ANGLE | Integer overflow |
| CVE-2026-8520 | Payments | Race condition |
| CVE-2026-8521 | Tab Groups | Use after free |
| CVE-2026-8522 | Downloads | Use after free |
Why users should update quickly
Chrome is one of the most targeted applications because users interact with untrusted web content every day. A single malicious page can sometimes trigger a browser flaw if the browser remains unpatched.
Memory bugs such as use-after-free and heap buffer overflow vulnerabilities are especially important. Attackers often look for ways to combine browser memory bugs with sandbox escapes or other flaws to gain deeper access to a system.
Google keeps detailed bug information restricted during the rollout. That gives users time to update before technical details become widely available.
- Critical browser bugs can be triggered through crafted web content.
- Use-after-free flaws can allow unsafe access to memory after it has been released.
- Heap buffer overflows can corrupt memory and may support code execution attacks.
- Input-validation flaws can let malicious data reach code paths that expect trusted input.
- Race conditions can expose timing gaps that attackers may manipulate.
How to update Chrome on desktop
Chrome usually updates automatically, but the rollout may take days or weeks to reach every system. Users who want the fix immediately can trigger the update manually.
On Windows, Mac, or Linux, open Chrome and use the About Google Chrome page to check for updates. Chrome will download the new build if it is available for your device.
After the update installs, relaunch the browser. The security fixes do not fully apply to active browser sessions until Chrome restarts.
- Open Chrome.
- Click the three-dot menu in the top-right corner.
- Select Help.
- Click About Google Chrome.
- Wait for Chrome to check for and install the update.
- Click Relaunch when prompted.
- Return to the same page and confirm the installed version.
What enterprise admins should do
Enterprise administrators should verify Chrome update status across managed Windows, macOS, Linux, and Android devices. Systems that remain on older Chrome 148 builds or any pre-148.0.7778.167/168 desktop build should move to the patched version.
Admins should also check environments where browser updates may lag, such as virtual desktops, kiosk systems, shared workstations, testing images, and locked-down endpoints.
For managed Android devices, administrators should confirm that Google Play or enterprise mobility management policies push the Chrome 148.0.7778.167 update where applicable.
| Admin task | Reason |
|---|---|
| Audit Chrome versions | Find systems that have not received the security update. |
| Force browser restart where needed | Chrome must relaunch to complete the update. |
| Check managed Android devices | The Android release carries the same corresponding security fixes unless noted. |
| Review update policies | Delayed update windows can leave users exposed for longer. |
| Prioritize high-risk users | Administrators, developers, executives, and finance teams face higher phishing risk. |
No zero-day exploitation disclosed
Google’s release note does not say that any of the 79 patched vulnerabilities are being actively exploited. That is still not a reason to delay the update.
Once a security update lands, attackers can study changed code and public CVE records to understand what was fixed. That patch-analysis window creates risk for users who stay on older versions.
The safest approach is to update now, restart Chrome, and confirm that the browser reports the patched version for your operating system.
FAQ
Google fixed 79 security vulnerabilities in the May 12, 2026 Chrome 148 stable update, including 14 critical vulnerabilities.
The fixes are included in Chrome 148.0.7778.167/168 for Windows and Mac, 148.0.7778.167 for Linux, and Chrome 148.0.7778.167 for Android.
One of the most serious listed issues is CVE-2026-8509, a critical heap buffer overflow in WebML. Google awarded $43,000 for the report.
Google’s release note does not say that these 79 vulnerabilities are being actively exploited. Users should still update quickly because attackers can study patches after release.
Open Chrome, click the three-dot menu, select Help, click About Google Chrome, wait for the update to install, then click Relaunch. After restart, check the same page to confirm the patched version.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages