Chrome 148 Patches 25 CVEs in One Day, Heavy on Use-After-Free and Sandbox Escapes
Google's Chrome 148.0.7778.216 fixes 25 security vulnerabilities, including a dense cluster of use-after-free bugs and sandbox-escape primitives across ANGLE, Skia, WebRTC, and the UI layer.
Google released Chrome 148.0.7778.216 on May 28, 2026, patching 25 security vulnerabilities in a single stable-channel update — a batch dominated by use-after-free bugs, sandbox-escape chains, and code-execution risks that span nearly every major browser subsystem.
More than a third of the disclosed CVEs are use-after-free (UAF) vulnerabilities, many rated High. CVE-2026-9995 (WebXR, CVSS 8.8), CVE-2026-9992 (Network, CVSS 8.8), CVE-2026-9994 (Core on Windows, CVSS 8.3), CVE-2026-9997 (Input, CVSS 8.3), CVE-2026-9993 (Views, triggered via a crafted PDF, CVSS 8.3), CVE-2026-9988 (WebRTC on Linux, CVSS 8.3), CVE-2026-9984 (UI on Windows, CVSS 8.8), and CVE-2026-9978 (Glic, CVSS 8.8) all allow an attacker to corrupt heap memory after an object is freed. Several of these — including CVE-2026-9997, CVE-2026-9994, and CVE-2026-9988 — are explicitly described as sandbox-escape primitives when the renderer process is already compromised, making them critical components in multi-stage browser exploits.
A recurring theme in this batch is the combination of renderer-compromise bugs with sandbox-escape pathways. CVE-2026-9998 (Skia integer overflow, CVSS 8.3), CVE-2026-9982 (ANGLE insufficient input validation, CVSS 8.3), CVE-2026-9975 (ANGLE OOB read/write, CVSS 8.3), and CVE-2026-9977 (WebShare on Android, CVSS 8.3) all require prior compromise of the renderer process but then enable escape from the browser sandbox. CVE-2026-9999 (ANGLE on Mac, CVSS 8.8) and CVE-2026-9983 (Skia type confusion, CVSS 8.8) allow arbitrary code execution inside the sandbox from a single crafted HTML page, without requiring a prior renderer foothold.
Several medium-severity bugs round out the batch. CVE-2026-9996 (WebRTC OOB read on Mac, CVSS 6.5) and CVE-2026-9981 (Skia inappropriate implementation, CVSS 6.5) could leak sensitive process memory to a remote attacker. CVE-2026-9989 (Media, CVSS 6.3) bypasses same-origin policy via a crafted video file. Two CVEs — CVE-2026-9980 (Printing, CVSS 5.0) and CVE-2026-9979 (Input, CVSS 5.0) — allow site-isolation bypass after renderer compromise. Platform-specific issues include CVE-2026-9987 (WebAppInstalls on Android, CVSS 7.8, local code execution via malicious file), CVE-2026-9990 (WebAppInstalls on Mac, CVSS 7.5, heap corruption via UI gestures), CVE-2026-9985 (Media on ChromeOS, CVSS 5.3, memory info leak), and CVE-2026-9991 (Media on Windows, CVSS 3.1, cross-origin data leak).
All 25 CVEs are fixed in Chrome 148.0.7778.216 for Windows, Mac, Linux, ChromeOS, and Android. Google's stable-channel update was published on May 28, 2026. Users should ensure automatic updates are enabled or manually check for the latest version via chrome://settings/help. No in-the-wild exploitation has been reported for any of these CVEs as of the disclosure date.
This is one of the largest single Chrome security updates of 2026 by CVE count, and the density of sandbox-escape and code-execution bugs — particularly the cluster of use-after-free vulnerabilities across ANGLE, Skia, WebRTC, and the UI layer — means that even partial exploitation chains could give an attacker full control of the browser process. For enterprise environments and users on older Chrome versions, the update is urgent.
Google subsequently disclosed that 10 of those 25 bugs affect ANGLE specifically, the graphics translation layer. The ANGLE batch includes five sandbox-escape primitives (CVE-2026-9932, CVE-2026-9926, CVE-2026-9924, CVE-2026-9904, CVE-2026-9900) exploitable after renderer compromise, alongside code-execution flaws such as CVE-2026-9941 and CVE-2026-9940 (both CVSS 8.8). Notably, Chromium rated CVE-2026-9882 Critical despite its CVSSv3 of 6.5, citing elevated cross-origin data-leakage risk.