Chrome 148: Google Patches 151 Vulnerabilities, Including 22 Critical Flaws
Google has released Chrome 148, addressing 151 security vulnerabilities with 22 rated at maximum criticality. The update includes over $130,000 in bug bounties…
Google released Chrome 148 this week, a massive security update that resolves 151 vulnerabilities, 22 of which carry a critical severity rating. This release marks a sharp acceleration in patching activity: since late March 2026, the number of flaws addressed per release has more than tripled, with over 350 total issues tackled in this version alone. The majority of the critical vulnerabilities are use-after-free (UAF) bugs within the rendering engine and core system components. These flaws enable remote code execution (RCE) and allow attackers to escape the Chrome sandbox.
- Chrome 148 fixes 151 vulnerabilities: 22 critical, 123 high-severity, and 6 medium-severity.
- Use-after-free bugs dominate the critical list, facilitating RCE and sandbox escapes.
- Google paid over $130,000 in bug bounties for 10 researcher-reported flaws, including two top rewards of $43,000.
- Patching volume has surged since late March 2026, with Chrome 148 addressing more than 350 total issues.
The Five Public CVEs: Where Criticality Hits Hardest
Among the 22 critical vulnerabilities, five have been assigned specific CVEs, all relating to memory safety bugs in the browser's core components.
CVE-2026-9872 is an out-of-bounds write in the GPU component, earning a $43,000 bounty. CVE-2026-9873, a use-after-free in the Network stack, received an identical $43,000 reward. These are followed by CVE-2026-9874 (use-after-free in Dawn, the WebGPU engine), CVE-2026-9875 (out-of-bounds read in WebGL), and CVE-2026-9876 (use-after-free in WebGL). The pattern is consistent: four of the five public flaws are memory corruption issues, three of which are explicitly use-after-free.
The $43,000 maximum rewards indicate exceptional severity according to Google’s scale. The total payout of over $130,000 for just 10 external vulnerabilities—the remainder of the 151 were discovered internally—suggests the vendor is investing significant resources to incentivize the coordinated disclosure of high-impact bugs.
"Most of the critical-severity vulnerabilities patched with the latest Chrome update are use-after-free bugs. This type of memory safety issues could allow attackers to achieve remote code execution and to escape Chrome's sandbox and potentially compromise the entire system." — SecurityWeek
Rendering Engine Under Stress: The Persistence of Use-After-Free
Use-after-free vulnerabilities are a recurring challenge in Chromium, but their concentration in the GPU, WebGL, and Network components is significant. These areas process arbitrary remote inputs—such as graphics shaders, network packets, and WebGL instructions—where parsing complexity expands the attack surface.
The mechanism is a classic memory safety failure: a pointer to deallocated memory is reused, allowing an attacker to read or write beyond allocated boundaries. In Chrome, where rendering occurs within sandboxed processes, chaining these flaws with a second privilege escalation vulnerability leads to a full sandbox escape. The source explicitly identifies this scenario as a path to compromising the entire system, though no active exploits or specific chaining techniques were documented in this release.
The lack of specific details regarding the 123 high-severity vulnerabilities limits the assessment of residual risk. The source does not classify the types of these flaws or provide associated CVEs.
Patching Inflation: Volume Triples Since March
"Starting in late March, the number of vulnerabilities resolved with each update has increased significantly, with over 350 issues addressed in Chrome 148 alone, this update included." This sustained growth raises questions about the underlying drivers of this surge.
Plausible but unverified hypotheses suggest that the adoption of automated vulnerability discovery tools—such as fuzzers enhanced by large language models or large-scale static analysis—may be generating a flood of reports that strain release cycles. Google has not officially confirmed this link. What is documented is the output: more bugs found, more patches deployed, and increased pressure on enterprise teams managing the rollout.
The source does not specify whether the increase stems from improved discovery, higher disclosure rates, or an internal reorganization of the classification process. Furthermore, comparative data against Chromium's historical trends prior to March 2026 is unavailable.
Why It Matters
The current dossier does not document specific corrective measures recommended by Google for enterprise or consumer users beyond standard updates. There are no listed hardening actions, mitigation configurations, or specific auto-update policies to activate.
The primary technical risk is clear: 22 critical flaws with documented mechanisms for RCE and sandbox escape, affecting a user base estimated at over 3 billion. The unusually high volume of 151 vulnerabilities in a single release implies that corporate security teams must monitor the patching cycle with greater intensity than in the pre-March period.
It remains unclear if the update has reached full rollout or is being distributed gradually, and availability dates for Extended Stable channels are not provided. ChromeOS 148, documented as a "security and maintenance" release without new user features, confirms the timing of the update but does not share security components with the desktop browser.
There are no reports of in-the-wild exploits for any of the 151 vulnerabilities, and it is unknown if the five public CVEs were disclosed prior to the patch. Additionally, bounty amounts for the remaining eight external vulnerabilities were not disclosed, nor was it clarified if all 151 flaws have been assigned CVE identifiers.
FAQ
- Is Chrome 148 available for all platforms simultaneously?
- The specific versions reported are 148.0.7778.216/217 for Windows, 148.0.7778.215/216 for macOS, and 148.0.7778.215 for Linux. It is not documented whether the rollout is simultaneous or staggered by channel.
- Why do only 10 out of 151 vulnerabilities have known bounties?
- Most of the flaws were discovered internally by Google. The $130,000 total applies exclusively to external reports, which included two maximum rewards of $43,000 each.
- Is the increase in vulnerabilities linked to Google's use of AI?
- This correlation is not documented as a fact. The hypothesis is mentioned as a journalistic perspective rather than a verified statement from the vendor.
The most significant takeaway remains the structural acceleration: three months of consistent growth in patching volume, peaking with Chrome 148. If this trend persists, organizations must calibrate their update management cycles for a higher frequency of exposure compared to 2025, regardless of the underlying cause of discovery.
Information is based on cited sources and is current at the time of publication.
Sources
- https://www.securityweek.com/chrome-148-update-patches-151-vulnerabilities/
- https://unit42.paloaltonetworks.com/high-risk-gen-ai-browser-extensions/
- https://cyberscoop.com/zapier-bug-chain-account-takeover-patched/
- https://unit42.paloaltonetworks.com/captive-portal-zero-day/
- https://unit42.paloaltonetworks.com/tracking-tampered-chef-clusters/
- https://www.ghacks.net/2026/05/26/chromeos-148-rolls-out-as-security-and-maintenance-release-ahead-of-chromeos-150-lts-baseline/
- https://ads.securityweek.com/getad.img/;libID=5273454