Google Patches 79 Vulnerabilities in Chrome 148 Update
Google has released Chrome 148 to address 79 vulnerabilities, including 14 critical-severity bugs that could potentially lead to remote code execution.
Google has released Chrome version 148, addressing a total of 79 security vulnerabilities, including 14 flaws rated as critical severity. The update, which is currently rolling out to users, covers a wide range of components within the browser, from the rendering engine to file system management SecurityWeek.
The most severe issues include CVE-2026-8509, a heap buffer overflow in WebML, and CVE-2026-8510, an integer overflow in the Skia graphics library. Google awarded a $43,000 bug bounty for the discovery of the WebML flaw and $25,000 for the Skia issue. While Google has not released specific technical details regarding these vulnerabilities, the high bounty payouts and critical severity ratings indicate that these bugs could potentially be leveraged for remote code execution SecurityWeek.
Beyond these two, the update addresses 12 additional critical-severity defects discovered internally by Google. These include eight separate use-after-free vulnerabilities affecting the UI, FileSystem, Input, Aura, HID, Blink, Tab Groups, and Downloads components. Other critical bugs patched in this release include an insufficient validation of untrusted input in DataTransfer, an object lifecycle issue in WebShare, an integer overflow in ANGLE, and a race condition within the Payments component SecurityWeek.
In addition to the critical bugs, the Chrome 148 update resolves 37 high-severity weaknesses. These encompass a broad spectrum of security issues, such as out-of-bounds writes, heap buffer overflows, insufficient policy enforcement, out-of-bounds reads, and type confusion defects. Google has paid out at least $44,000 in bug bounties for four of these high-severity flaws, with total payouts expected to rise as further disclosures are processed SecurityWeek.
The update is now available as version 148.0.7778.167 for Linux, and versions 148.0.7778.167/168 for Windows and macOS. Google has stated that there is currently no evidence suggesting that any of these vulnerabilities have been exploited in the wild. Concurrently, Mozilla has released Firefox version 150.0.3, which addresses five high-severity flaws impacting the JIT compiler, WebAssembly, the JavaScript engine, and profile backup functionality SecurityWeek.
The scale of this update, totaling 79 resolved issues, highlights the ongoing challenge of securing complex browser architectures. As browser vendors continue to refine their security postures, the reliance on bug bounty programs remains a primary mechanism for identifying and mitigating vulnerabilities before they can be weaponized by threat actors SecurityWeek.