Google patches Chrome flaws enabling remote code execution

Google released an update to Chrome that fixes two critical security flaws that can allow remote code execution and enable UI spoofing. The stable channel build is rolling out for Windows and macOS as version 148.0.7778.178/179 and for Linux as 148.0.7778.178 over the coming weeks.

The update addresses CVE-2026-9111, a use-after-free vulnerability in WebRTC that can let an attacker execute arbitrary code on Linux if a user opens a malicious HTML page or visits a crafted website. A use-after-free error occurs when a program continues to use memory after it has been freed, creating an opening an attacker can exploit to change program behavior.

The second fix, CVE-2026-9110, covers an inappropriate UI implementation on Windows that can permit UI spoofing if the renderer process is compromised. An attacker who controls the renderer could display fake windows or dialog boxes that resemble legitimate browser or site prompts and collect input such as passwords.

Google is distributing the fixes through the Chrome stable channel. Users who do not want to wait for the automatic rollout can update immediately by opening Chrome’s More menu, going to Settings and then About Chrome. If an update is available the browser will download it and prompt a restart to complete installation. Automatic updates protect most users but can lag if the browser remains open for long periods or an extension interferes with updates.

The release does not include a fix for the previously reported “Browser Fetch” issue. That vulnerability, originally reported within the Chromium project 46 months ago, was posted to the public Chromium bug tracker on May 20, 2026. The researcher who posted it found the issue remained unpatched; Google removed the public post but archival copies including exploit code remain available.

Security experts advise installing the update as soon as possible, particularly for Linux users who may be exposed to the WebRTC exploit. Organizations can deploy the update through managed deployment tools to protect multiple machines, and individual users can confirm the installed version in Settings to ensure it reads 148.0.7778.179 on Windows or macOS, or 148.0.7778.178 on Linux.