Google has released an urgent security update for Chrome addressing 16 vulnerabilities, including two rated Critical that could allow attackers to execute arbitrary code on affected systems. The Stable channel has been updated to version 148.0.7778.178/179 for Windows and Mac, and 148.0.7778.178 for Linux. Users and administrators should treat this as a high-priority update and apply it immediately.
Two Critical Flaws Enable Remote Code Execution
The most severe vulnerabilities in this release both carry a Critical severity rating and were identified internally by Google’s own security team on April 20, 2026:
- CVE-2026-9111 — A Use-After-Free vulnerability in WebRTC, Chrome’s real-time communication engine. Use-after-free bugs allow attackers to manipulate freed memory regions, potentially leading to arbitrary code execution when triggered by a maliciously crafted web page. WebRTC is widely used and enabled by default in all Chrome installations, making this flaw particularly dangerous.
- CVE-2026-9110 — An Inappropriate Implementation flaw in Chrome’s UI layer. This vulnerability could allow attackers to bypass security restrictions or spoof browser interface elements, potentially tricking users into interacting with malicious content they believe to be legitimate.
Use-after-free vulnerabilities are among the most commonly exploited browser flaws because they can be reliably triggered through JavaScript running in web pages and are frequently chained with other bugs to achieve full system compromise. When a critical use-after-free in a high-value target like WebRTC is combined with a sandbox escape, an attacker can potentially take full control of the victim’s machine simply by getting them to visit a malicious website.
Nine High-Severity Flaws Also Patched
Beyond the two critical issues, Google patched nine High-severity vulnerabilities spanning multiple Chrome components:
- CVE-2026-9112 — Use-After-Free in GPU (external researcher rewarded $11,000)
- CVE-2026-9113 — Out-of-Bounds Read in GPU (external researcher rewarded $3,000)
- CVE-2026-9114 — Use-After-Free in QUIC, Chrome’s transport protocol
- CVE-2026-9115 — Insufficient Policy Enforcement in Service Worker
- CVE-2026-9116 — Insufficient Policy Enforcement in ServiceWorker
- CVE-2026-9117 — Type Confusion in GFX rendering engine
- CVE-2026-9118 — Use-After-Free in XR (extended reality) component
- CVE-2026-9119 — Heap Buffer Overflow in WebRTC
- CVE-2026-9120 — Use-After-Free in WebRTC
CVE-2026-9112 and CVE-2026-9113 were responsibly disclosed by an external researcher identified only by a hash handle, earning a combined $14,000 in bug bounties through Google’s Vulnerability Reward Program. The concentration of high-severity bugs in WebRTC and GPU components is notable — these are complex, performance-critical code paths that are difficult to audit and frequently serve as attack surfaces.
Medium-Severity Issues Round Out the Release
Five Medium-severity vulnerabilities were also addressed in this update:
- CVE-2026-9121 and CVE-2026-9122 — Out-of-Bounds Reads in GPU, credited to David Korczynski of Adalogics and the same external researcher who found the high-severity GPU bugs
- CVE-2026-9123 — Heap Buffer Overflow in Chromecast
- CVE-2026-9124 — Insufficient Input Validation
- CVE-2026-9126 — Use-After-Free in DOM (Document Object Model)
Why This Update Demands Immediate Action
Chrome is the world’s most widely used browser, with a market share exceeding 65% across desktop and mobile platforms. A critical remote code execution vulnerability in Chrome represents one of the broadest possible attack surfaces in enterprise and consumer environments alike. Threat actors routinely monitor Chrome security bulletins and begin developing exploits immediately after patch releases, using the disclosed vulnerability details to reverse-engineer what was fixed.
Google has temporarily restricted access to full technical details of these vulnerabilities until the majority of users have received the update — a standard practice designed to reduce the window during which attackers can develop working exploits before organizations have patched. This makes rapid deployment especially important: the window between patch release and weaponized exploit availability has historically been measured in days, not weeks.
How to Update Chrome Immediately
Users and administrators should take the following steps without delay:
- Check your version — Navigate to
chrome://settings/helpin your browser address bar to see your current version and trigger an update check - Verify the target version — Confirm the browser updates to version 148.0.7778.178 or higher (178/179 on Windows/Mac)
- Restart Chrome — Chrome must be fully restarted (not just relaunched from a minimized state) to apply any pending updates
- Enterprise deployment — IT administrators should force-deploy the update immediately via Group Policy or other device management tools rather than waiting for the gradual rollout to reach all endpoints
- Monitor for exploitation — Check CISA’s Known Exploited Vulnerabilities catalog and threat intelligence feeds for any indication that these flaws are being actively exploited in the wild
Broader Security Context
This Chrome update comes during a period of elevated browser vulnerability activity across the industry. Browser vendors have been releasing emergency patches with increased frequency as threat actors increasingly target browser-based attack surfaces. The abundance of use-after-free vulnerabilities in this release reflects the ongoing challenge of securing complex, high-performance code that handles untrusted content from the open internet.
Organizations running Chrome at scale should also review their browser update policies to ensure that automatic updates are enabled and that the gradual rollout timeline does not leave critical systems unpatched for extended periods. Given the severity of CVE-2026-9111 and CVE-2026-9110, waiting for the automatic rollout to reach all endpoints is not recommended — proactive deployment is the appropriate response.