Google patches 151 Chrome flaws, including 22 critical bugs

Google released a Chrome 148 security update that addresses 151 vulnerabilities, 22 of them classified as critical [1]. The patch, rolling out from May 27, spans desktop and mobile browsers and is intended to close memory‑safety bugs such as use‑after‑free and out‑of‑bounds errors.

Key takeaways

• Chrome 148 fixes 151 flaws, 22 of which are critical [1]
• Over half the bugs are use‑after‑free; 66 such issues were patched [2]
• Most fixes (134) originated from Google’s internal security work [2]
• Four externally reported critical bugs earned $86,000 in bounties [1]
• The update reaches Windows, macOS, Linux and Android; iOS moved to version 149 [2]

Massive patch across multiple platforms

The update brings Chrome to version 148.0.7778.216/217 for Windows, 148.0.7778.215/216 for macOS, 148.0.7778.215 for Linux, and 148.0.7778.215 for Android, while iOS users receive Chrome 149.0.7827.45 [2]. Google began rolling out the patches on May 27, with the stable channel slated to reach users over the next weeks [1][3]. The majority of the vulnerabilities were discovered by Google’s own security teams, reflecting a trend toward automated and AI‑assisted auditing, though Google has not confirmed AI involvement [1].

Critical flaws and bounty rewards

Among the 22 critical bugs are four that earned external bounty rewards ranging from $5,000 to $43,000 each. These include CVE‑2026‑9872 (GPU out‑of‑bounds write), CVE‑2026‑9873 (Network use‑after‑free), CVE‑2026‑9874 (Dawn use‑after‑free) and CVE‑2026‑9875 (WebGL out‑of‑bounds read) [1]. Researcher Cinzinga reported the first two and received $86,000 in total [1]. Other critical issues highlighted by Forbes involve a use‑after‑free in WebRTC (CVE‑2026‑9111) and an UI implementation flaw (CVE‑2026‑9110), both unexploited in the wild [3][4].

How to apply the update now

Google advises users to let Chrome update automatically, but manual installation is possible via Settings → Help → About Google Chrome, which triggers a download and prompts a browser restart [1][2][4]. Prompt updating is recommended because attackers often study patches to craft exploits for older versions [2].

Why it matters

The sheer volume of fixes underscores Chrome’s ongoing exposure to memory‑corruption bugs that can enable remote code execution. While none of the disclosed flaws have been observed in active attacks, the rapid patch cycle aims to stay ahead of potential exploits. The update’s rollout across all major platforms ensures a broad protective baseline, and the continued reliance on internal discovery suggests Google’s security tooling—potentially including AI‑driven fuzzers—remains a key defense mechanism. Users should verify they are on the latest version to benefit from these protections.