The update moves Chrome’s stable desktop channel to version 148.0.7778.178/179 for Windows and macOS, and 148.0.7778.178 for Linux. It is being rolled out globally through the browser’s automatic update mechanism, though users and administrators may need to relaunch Chrome for the protection to take effect.
The latest patch addresses 16 security issues, including two rated critical. One of the most serious, tracked as CVE-2026-9111, is a use-after-free flaw in WebRTC, the browser technology that supports real-time audio, video and data communication. Another critical issue, CVE-2026-9110, involves inappropriate implementation in Chrome’s user interface layer. Both were reported internally by Google on April 20.
Security advisories have warned that vulnerable browsers could be targeted if a user is persuaded to open a specially crafted web page. Successful exploitation could lead to remote code execution or other consequences, depending on the flaw, browser configuration, operating system protections and the privileges available to the logged-in user.
The update also includes high-severity fixes across GPU, QUIC, Service Worker, GFX, XR and WebRTC components. These include use-after-free defects, out-of-bounds reads, heap buffer overflows, insufficient policy enforcement and type confusion bugs. Such vulnerabilities are closely watched by enterprise defenders because they affect components that handle complex web content, graphics rendering, network transport and browser isolation.
Google has kept some bug details restricted while the update reaches a wider user base. That practice is common in browser security, as public technical details can give attackers a roadmap before enough users and organisations have applied patches. The company has not publicly stated that these specific flaws are being exploited in the wild.
The new desktop release follows a busy patching cycle for Chrome 148. Earlier this month, the stable channel received a major update that addressed 127 security flaws across Windows, macOS and Linux. That release included critical memory-safety issues in Blink, Mobile and Chromoting, along with high-severity bugs in the V8 JavaScript engine, ANGLE, Skia and WebRTC. A subsequent patch addressed another large batch of vulnerabilities before the current build raised the minimum protected version again.
The cadence underscores the scale of the browser security challenge. Chrome is used across consumer devices, corporate desktops, cloud workstations and managed mobile fleets, making it a prime target for cybercriminal groups, spyware operators and vulnerability brokers. Browser bugs are particularly valuable because they can be triggered through web content, email links, advertising chains or compromised websites.
Memory-corruption flaws remain among the most important categories in browser security. Use-after-free bugs occur when software continues to reference memory after it has been released, creating a path for crashes or code execution. Heap buffer overflows and type confusion flaws can also allow attackers to manipulate memory in ways the browser did not intend. Modern browsers deploy sandboxing, site isolation and exploit mitigations, but attackers often chain multiple bugs to move from browser compromise toward deeper system access.
For companies, the main risk lies in delayed patching. Managed Chrome deployments can lag when updates are staged, blocked by compatibility testing or held back by outdated endpoint-management policies. Security teams are expected to verify that Windows, macOS and Linux fleets have reached version 148.0.7778.178 or later, with Windows and macOS systems also receiving 148.0.7778.179 where applicable.
Individual users can check their browser status through Chrome’s settings menu by opening the About Google Chrome page. The browser usually downloads updates automatically, but the final installation often requires a restart. Users who leave browser windows open for long periods may remain exposed even after an update has been downloaded.
The update also affects organisations that rely on Chromium-based software ecosystems. While the patch applies to Google Chrome, related browser projects and embedded Chromium applications often review the same flaw classes and dependencies. Security teams commonly monitor whether other Chromium-based products require their own releases after upstream fixes.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
