79 Security Holes Sealed: Google Issues Urgent Chrome Update to Fix 14 “Critical” Vulnerabilities

Google has unleashed a major security update for the Chrome Stable channel, addressing a staggering 79 security fixes that range from internal logic errors to high-stakes remote execution threats. The update is currently rolling out to Windows, Mac, and Linux users and is expected to reach the entire global user base over the coming days and weeks.

The new versions to watch for are 148.0.7778.167/168 for Windows and Mac, and 148.0.7778.167 for Linux.

At the forefront of this update are 14 vulnerabilities rated as “Critical,” the highest severity level in Google’s classification system. These flaws represent significant entry points for attackers if left unpatched.

Key critical vulnerabilities include:

• CVE-2026-8509: A heap buffer overflow in WebML, which earned the reporting researcher a $43,000 bounty.
• CVE-2026-8510: An integer overflow in the Skia graphics engine, netting a $25,000 reward.
• A “Use After Free” Avalanche: Google’s internal security teams identified a cluster of “Use After Free” vulnerabilities across essential components including Downloads (CVE-2026-8522), Tab Groups (CVE-2026-8521), FileSystem (CVE-2026-8512), Input (CVE-2026-8513), HID (CVE-2026-8515), UI (CVE-2026-8511), Aura (CVE-2026-8514) and Blink (CVE-2026-8518).
• CVE-2026-8520: A race condition discovered in the Payments module.
• CVE-2026-8516: Insufficient validation of untrusted input in DataTransfer
• CVE-2026-8517: Object lifecycle issue in WebShare.
• CVE-2026-8519: Integer overflow in ANGLE

Google continues to lean heavily on the global research community to harden its browser. This cycle saw tens of thousands of dollars in rewards distributed to independent bug hunters:

• Mojo Security: Researcher Paul Seekamp received $25,000 for identifying a high-severity “Use After Free” flaw in Mojo (CVE-2026-8523).
• Font Rendering: Matej Smycka was awarded $10,000 for discovering an out-of-bounds write vulnerability in fonts (CVE-2026-8558).
• WebAudio Exploits: Brendan Dolan-Gavitt earned $7,000 for spotting an out-of-bounds write in the WebAudio component (CVE-2026-8524).

As is standard with major Chrome releases, Google is keeping the finer technical details of these bugs “under lock and key” for now.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google stated.

This policy is designed to give users a head start on patching before malicious actors can reverse-engineer the fixes into active exploits. Restrictions also remain in place for bugs residing in third-party libraries that other projects might still be working to patch.

Are you running the latest version? To check, navigate to Settings > About Chrome. If the update is available for your device, it will download automatically. A quick restart of the browser is all that’s needed to seal these 79 security holes.