Google has released an urgent security update for Chrome, addressing 16 vulnerabilities including two rated Critical that could allow remote code execution on affected systems. The Stable channel has been updated to version 148.0.7778.178/179 for Windows and Mac, and 148.0.7778.178 for Linux, with a phased rollout expected to complete over the coming days. Enterprises and individual users are urged to apply the patch immediately.
Critical Flaws Enable Full System Compromise
The two most severe vulnerabilities, both internally reported by Google on April 20, 2026, carry a Critical severity rating. CVE-2026-9111 is a Use-After-Free bug in the WebRTC component, which can be exploited to corrupt memory and achieve remote code execution through a maliciously crafted web page. CVE-2026-9110 is an Inappropriate Implementation flaw in the browser’s UI layer, potentially allowing attackers to bypass security restrictions or spoof interface elements.
Use-After-Free vulnerabilities are particularly dangerous because they enable threat actors to manipulate freed memory regions, often leading to full system compromise when chained with other exploits. These two Critical bugs represent the highest immediate risk to users.
High-Severity Bugs Across Multiple Components
Beyond the critical flaws, Google patched nine High-severity vulnerabilities spanning components including GPU, QUIC, Service Worker, GFX, XR, and WebRTC. Notable among these are CVE-2026-9112 (Use-After-Free in GPU) and CVE-2026-9113 (Out-of-Bounds Read in GPU), both responsibly disclosed by external researcher c6eed09fc8b174b0f3eebedcceb1e792, who earned a combined $14,000 in bug bounties.
Additional High-severity fixes include Type Confusion in GFX, Heap Buffer Overflow in WebRTC, and multiple Use-After-Free issues in WebRTC and XR components. Google also addressed five Medium-severity issues, including out-of-bounds reads in GPU, a heap buffer overflow in Chromecast, insufficient input validation, and a Use-After-Free in DOM.
Immediate Patching Required
Google notes that bug details will remain restricted until most users have received the patch, reducing the risk of exploitation during the rollout window. Users should navigate to chrome://settings/help and confirm the browser version is 148.0.7778.178 or higher, then restart Chrome to apply pending updates. Enterprise administrators should force-deploy the update via policy management tools and monitor Chrome release notes and CISA advisories for any active exploitation indicators.
This patch cycle underscores the persistent threat landscape facing modern browsers, where memory corruption and implementation flaws continue to provide entry points for attackers. Organizations that delay patching risk exposure to remote code execution attacks that could compromise entire networks. With no evidence of active exploitation yet reported, the window for proactive defense remains open — but it will not stay open indefinitely.
— Originally reported by Cyber Security News. Adapted and republished with editorial context for MacThreat.
