Double Critical Threat: Google Chrome Rushes Out Urgent Fixes for WebRTC and UI Sandbox Flaws

Google has officially released a security update for the Google Chrome Stable channel on Desktop, addressing 16 security vulnerabilities that range from minor inputs to critical, system-level execution threats.

The update upgrades the browser to version 148.0.7778.178/179 for Windows and Mac, and version 148.0.7778.178 for Linux. Google notes that the software patch will roll out incrementally over the coming days and weeks. As is standard with major browser security rollouts, access to granular bug details, technical proofs of concept, and underlying tracking links will remain strictly restricted until a majority of the global user base has successfully updated their installations. This curtain of confidentiality will also extend to flaws residing within shared, third-party libraries that adjacent software projects rely on but have not yet independently patched.

Double Impact: WebRTC and UI Earn “Critical” Labels

Two of the sixteen security flaws fixed in this update cycle earned the maximum Critical severity designation. Both vulnerabilities were discovered internally by Google’s own security research divisions on April 20, 2026.

1. Memory Exploitation via WebRTC (CVE-2026-9111)

The first critical patch targets a severe Use-After-Free (UAF) memory corruption vulnerability nested deep inside Chrome’s WebRTC engine—the open-source framework responsible for real-time voice, video, and data communication across browser tabs. In a typical UAF scenario, an application fails to clear pointer references after clearing a slice of system memory. An attacker can manipulate browser interactions to fill that freed memory space with malicious execution logic, allowing them to break out of the browser’s sandbox and execute unauthorized code on the host device.

2. Sandbox Subversion via the UI (CVE-2026-9110)

The second critical flaw hits the core browser User Interface (UI) subsystem, flagged as an “Inappropriate implementation.” Flaws in this category typically indicate structural design oversights that permit malicious web entities to mimic native browser dialogs, spoof security address indicators, or manipulate origin policies to execute unauthorized tasks with the high privileges attached to the core browser UI thread.

High-Severity Risks: A Swarm of UAF and Type Confusion Bugs

The update eliminates a heavily populated layer of high-severity vulnerabilities, several of which were uncovered by external bounty hunters who collected thousands of dollars for their disclosures.

Core Graphics and the GPU in the Crosshairs

A single anonymous researcher, operating under the cryptographic handle c6eed09fc8b174b0f3eebedcceb1e792, earned an $11,000 bounty for discovering CVE-2026-9112, a high-severity Use-After-Free vulnerability operating inside Chrome’s GPU pipeline. The same researcher netted an additional $3,000 reward for uncovering CVE-2026-9113, an out-of-bounds read vulnerability within the graphics processing architecture that could allow a malicious web application to read adjacent kernel memory fragments. In tandem with these memory boundary bugs, Google addressed CVE-2026-9117, a severe Type Confusion vulnerability located within the GFX graphics engine.

Additional Media and Core Infrastructure Patches

WebRTC received further reinforcement in this update tier to resolve two additional high-severity bugs: a heap buffer overflow (CVE-2026-9119) and a secondary Use-After-Free flaw (CVE-2026-9120).

The browser’s core networking and session management layers were similarly fortified. Google patched a high-severity UAF flaw inside the QUIC protocol engine (CVE-2026-9114), a pair of insufficient policy enforcement bugs compromising the Service Worker subsystem (CVE-2026-9115 and CVE-2026-9116), and a UAF flaw within the browser’s Extended Reality (XR) virtual environment architecture (CVE-2026-9118).

Medium-Severity Vulnerabilities and Fuzzing Wins

The remainder of the update cycle irons out several medium-severity bugs that focus primarily on application stability and input manipulation vectors:

• More GPU Boundaries: Independent security researcher David Korczynski of Adalogics teamed up with the prolific c6eed09fc8b174b0f3eebedcceb1e792 to uncover two separate out-of-bounds read vulnerabilities inside the GPU layer (CVE-2026-9121 and CVE-2026-9122). The ultimate cash rewards for these discoveries are currently listed as “To Be Determined.”

• DOM and Chromecast Overflows: Google patched a memory disclosure bug inside the Document Object Model (DOM) tracked as CVE-2026-9126, alongside a localized heap buffer overflow impacting internal Chromecast configurations (CVE-2026-9123).

• Untrusted Input Handling: The final fix addresses CVE-2026-9124, an insufficient input validation vulnerability within Chrome’s native user input processing component.

Remediation Protocol

For the vast majority of consumer installations, Google Chrome will automatically download the required security binaries and prompt users to restart their browsers to apply the patch.

However, enterprise administrators, security specialists, and high-risk users are strongly urged to verify their active browser build to eliminate exposure to these flaws immediately. You can force the update manually by navigating to the top-right menu icon and selecting Help -> About Google Chrome. Once the installer completes its download sequence, execute a full browser restart to seal the environment.