Google Patches Two Critical Chrome Flaws Allowing Remote Code Execution and UI Spoofing
Google has released Chrome 148.0.7778.178/179 to fix two critical vulnerabilities, including a WebRTC use-after-free bug that enables remote code execution on Linux.
Google has issued an emergency security update for Chrome, patching two critical vulnerabilities that could allow attackers to execute arbitrary code or spoof browser UI simply by tricking a user into visiting a malicious website. The stable channel has been updated to version 148.0.7778.178/179 for Windows and Mac, and 148.0.7778.178 for Linux. Users are urged to update immediately, as the fixes will roll out automatically over the coming weeks.
The most severe of the two flaws is CVE-2026-9111, a use-after-free vulnerability in WebRTC, the real-time communication framework used by Chrome for video and audio calls. Use-after-free bugs occur when a program continues to use a pointer after the associated memory has been freed, allowing an attacker to manipulate the program's execution flow. In this case, a remote attacker could exploit the bug on Linux systems by luring a victim into opening a crafted HTML page or visiting a specially designed website, leading to arbitrary code execution on the targeted device.
The second vulnerability, CVE-2026-9110, is an inappropriate implementation in Chrome's Windows UI that enables UI spoofing after an attacker has already compromised the browser's renderer process. Once an attacker gains control of the renderer, they can craft a malicious HTML page that displays fake dialog boxes or windows that appear legitimate. This could trick users into entering sensitive information—such as passwords or credit card details—into what looks like a trusted site, effectively handing the data to the attacker.
Google has not disclosed whether either vulnerability is being actively exploited in the wild, but the company's standard practice is to restrict technical details until a majority of users have updated. The update also addresses several other high-severity bugs, though the company did not provide a full list. Notably, the patch does not include a fix for the so-called "Browser Fetch" vulnerability, a separate Chromium flaw that was accidentally leaked to the public on May 20, 2026, after remaining unpatched for 46 months. That issue, which allows persistent JavaScript execution even after the browser is closed, remains unresolved and has exploit code circulating on archival sites.
Chrome users can manually trigger the update by navigating to Settings > About Chrome in the browser menu. If an update is available, Chrome will begin downloading it; a restart completes the installation. Given the critical nature of these vulnerabilities—especially the remote code execution vector on Linux—security experts recommend updating without delay. This is the latest in a series of urgent Chrome patches in 2026, following a 79-vulnerability fix in the initial Chrome 148 release and ongoing concerns about the leaked Browser Fetch flaw.