Critical Chrome Vulnerabilities Enable Remote Code Execution Attacks – Patch Now!

Google has released an urgent security update for Chrome, addressing 16 vulnerabilities including two rated Critical that could allow attackers to execute arbitrary code on affected systems.

The Stable channel has been updated to 148.0.7778.178/179 for Windows and Mac, and 148.0.7778.178 for Linux, with the rollout expected to complete over the coming days.

Critical Chrome Vulnerabilities Patched

The two most severe flaws both carry a Critical severity rating and were reported internally by Google on April 20, 2026:

• CVE-2026-9111 — A Use-After-Free vulnerability in WebRTC, which could be exploited to corrupt memory and achieve remote code execution through a maliciously crafted web page.
• CVE-2026-9110 — An Inappropriate Implementation flaw in the UI layer, which could allow attackers to bypass security restrictions or spoof browser interface elements.

Use-after-free bugs are particularly dangerous because they allow threat actors to manipulate freed memory regions, often leading to full system compromise when successfully chained with other exploits.

High-Severity Vulnerabilities Patched

Beyond the critical bugs, Google patched nine High-severity flaws spanning multiple components:

CVE	Type	Component	Bounty
CVE-2026-9112	Use-After-Free	GPU	$11,000
CVE-2026-9113	Out-of-Bounds Read	GPU	$3,000
CVE-2026-9114	Use-After-Free	QUIC	N/A
CVE-2026-9115	Insufficient Policy Enforcement	Service Worker	N/A
CVE-2026-9116	Insufficient Policy Enforcement	ServiceWorker	N/A
CVE-2026-9117	Type Confusion	GFX	N/A
CVE-2026-9118	Use-After-Free	XR	N/A
CVE-2026-9119	Heap Buffer Overflow	WebRTC	N/A
CVE-2026-9120	Use-After-Free	WebRTC	N/A

CVE-2026-9112 and CVE-2026-9113 were responsibly disclosed by an external researcher identified as c6eed09fc8b174b0f3eebedcceb1e792, earning a combined $14,000 in bug bounties.

Other Medium-Severity Fixes

Google also patched five Medium-severity issues, including out-of-bounds reads in GPU (CVE-2026-9121, CVE-2026-9122 — credited to David Korczynski of Adalogics and the same external researcher), a heap buffer overflow in Chromecast (CVE-2026-9123), insufficient input validation (CVE-2026-9124), and a use-after-free in DOM (CVE-2026-9126).

Mitigations

Google notes that bug details will remain restricted until most users have received the patch, reducing the risk of exploitation during the rollout window.

Users and administrators should take the following steps immediately:

• Navigate to chrome://settings/help and confirm the browser version is 148.0.7778.178 or higher
• Restart Chrome to apply any pending updates
• Enterprise administrators should force-deploy the update via policy management tools
• Monitor Chrome release notes and CISA advisories for any active exploitation indicators