Chrome 148: 25 CVEs Patched in One Day, Heavy on Use-After-Free and Sandbox Escapes

Key findings

• 25 CVEs patched in Chrome 148.0.7778.216 across all platforms
• At least 8 use-after-free bugs, several enabling sandbox escape
• Multiple code-execution and sandbox-escape chains possible from a single HTML page
• Platform-specific flaws affect Mac, Windows, Android, ChromeOS, and Linux
• No active exploitation reported as of the May 28 disclosure date
• All fixes are in the stable channel; users should update immediately

Google released Chrome 148.0.7778.216 on May 28, 2026, patching 25 security vulnerabilities in a single stable-channel update — a batch dominated by use-after-free bugs, sandbox-escape chains, and code-execution risks that span nearly every major browser subsystem.

A Cluster of Use-After-Free and Code Execution Bugs

More than a third of the disclosed CVEs are use-after-free (UAF) vulnerabilities, many rated High. CVE-2026-9995 (WebXR, CVSS 8.8), CVE-2026-9992 (Network, CVSS 8.8), CVE-2026-9994 (Core on Windows, CVSS 8.3), CVE-2026-9997 (Input, CVSS 8.3), CVE-2026-9993 (Views, triggered via a crafted PDF, CVSS 8.3), CVE-2026-9988 (WebRTC on Linux, CVSS 8.3), CVE-2026-9984 (UI on Windows, CVSS 8.8), and CVE-2026-9978 (Glic, CVSS 8.8) all allow an attacker to corrupt heap memory after an object is freed. Several of these — including CVE-2026-9997, CVE-2026-9994, and CVE-2026-9988 — are explicitly described as sandbox-escape primitives when the renderer process is already compromised, making them critical components in multi-stage browser exploits.

Sandbox Escapes and Renderer Compromise Chains

A recurring theme in this batch is the combination of renderer-compromise bugs with sandbox-escape pathways. CVE-2026-9998 (Skia integer overflow, CVSS 8.3), CVE-2026-9982 (ANGLE insufficient input validation, CVSS 8.3), CVE-2026-9975 (ANGLE OOB read/write, CVSS 8.3), and CVE-2026-9977 (WebShare on Android, CVSS 8.3) all require prior compromise of the renderer process but then enable escape from the browser sandbox. CVE-2026-9999 (ANGLE on Mac, CVSS 8.8) and CVE-2026-9983 (Skia type confusion, CVSS 8.8) allow arbitrary code execution inside the sandbox from a single crafted HTML page, without requiring a prior renderer foothold.

Memory Disclosure, Site Isolation Bypasses, and Platform-Specific Flaws

Several medium-severity bugs round out the batch. CVE-2026-9996 (WebRTC OOB read on Mac, CVSS 6.5) and CVE-2026-9981 (Skia inappropriate implementation, CVSS 6.5) could leak sensitive process memory to a remote attacker. CVE-2026-9989 (Media, CVSS 6.3) bypasses same-origin policy via a crafted video file. Two CVEs — CVE-2026-9980 (Printing, CVSS 5.0) and CVE-2026-9979 (Input, CVSS 5.0) — allow site-isolation bypass after renderer compromise. Platform-specific issues include CVE-2026-9987 (WebAppInstalls on Android, CVSS 7.8, local code execution via malicious file), CVE-2026-9990 (WebAppInstalls on Mac, CVSS 7.5, heap corruption via UI gestures), CVE-2026-9985 (Media on ChromeOS, CVSS 5.3, memory info leak), and CVE-2026-9991 (Media on Windows, CVSS 3.1, cross-origin data leak).

Patch Status and Mitigation

All 25 CVEs are fixed in Chrome 148.0.7778.216 for Windows, Mac, Linux, ChromeOS, and Android. Google's stable-channel update was published on May 28, 2026. Users should ensure automatic updates are enabled or manually check for the latest version via chrome://settings/help. No in-the-wild exploitation has been reported for any of these CVEs as of the disclosure date.

Why This Batch Matters

This is one of the largest single Chrome security updates of 2026 by CVE count, and the density of sandbox-escape and code-execution bugs — particularly the cluster of use-after-free vulnerabilities across ANGLE, Skia, WebRTC, and the UI layer — means that even partial exploitation chains could give an attacker full control of the browser process. For enterprise environments and users on older Chrome versions, the update is urgent.