Google released Chrome 148, an update that resolves 151 vulnerabilities, including 22 critical-severity flaws. The update is now rolling out as versions 148.0.7778.216/217 for Windows, 148.0.7778.215/216 for macOS, and 148.0.7778.215 for Linux.
The most severe issues patched include CVE-2026-9872, an out-of-bounds write in the GPU component, and CVE-2026-9873, a use-after-free flaw in the Network component. Google awarded $43,000 to the researchers who reported each of these bugs. Three additional critical vulnerabilities were also reported by external researchers: CVE-2026-9874 (use-after-free in Dawn), CVE-2026-9875 (out-of-bounds read in WebGL), and CVE-2026-9876 (use-after-free in WebGL).
Use-after-free bugs constitute the majority of the critical vulnerabilities addressed in this release. These types of flaws can enable attackers to execute arbitrary code remotely and potentially escape Chrome’s sandbox protections, which could lead to full system compromise. Other common issues in the patch list include insufficient validation of untrusted input and out-of-bounds memory access problems.
In addition to the 22 critical flaws, Chrome 148 fixes 123 high-severity weaknesses and six medium-severity defects. Google has paid more than $130,000 in bug bounty rewards for 10 security flaws identified by external researchers. The company has not disclosed bounty amounts for several other reported vulnerabilities.
Most of the vulnerabilities resolved in this update were discovered internally by Google. The Chrome 148 release addresses more than 350 issues in total when including non-security fixes and improvements. Starting in late March, the number of vulnerabilities resolved in each Chrome update has risen noticeably. Google last month reduced Chrome bug bounty payouts.