Update Chrome Now: Patches Two Remote-Code Flaws

Google released a stable Chrome update to versions 148.0.7778.178 and 148.0.7778.179 to fix two critical vulnerabilities that can be triggered by crafted web pages. The fixes apply to Windows, macOS and Linux, and the update is rolling out over the coming weeks.

The stable channel build numbers are 148.0.7778.178 for Linux and 148.0.7778.178/179 for Windows and macOS. Users can force the update by opening Chrome’s More menu (three dots), selecting Settings > About Chrome to trigger the download, and restarting the browser. Automatic updates usually install silently but can be delayed if Chrome is never closed or if an extension blocks updates.

Google identified the two highest‑severity fixes as CVE-2026-9111 and CVE-2026-9110. CVE-2026-9111 is a use-after-free bug in WebRTC that could allow a remote attacker to run arbitrary code after a user opens a specially crafted HTML page. A use-after-free occurs when software accesses memory after it has been released, which can let an attacker overwrite memory and change program behavior.

CVE-2026-9110 concerns an inappropriate implementation in Chrome’s user interface on Windows that could let an attacker who has already compromised the renderer process display spoofed windows or dialogs. In that scenario, a fake prompt could appear legitimate and prompt a user to enter credentials or other sensitive data.

Google’s advisory says both flaws can be exploited via crafted web content. The advisory does not link the vulnerabilities to a wider active exploitation campaign.

The current update does not fix a separate disclosure known as the “Browser Fetch” flaw. That issue was reported to Chromium developers 46 months earlier and was posted publicly to the Chromium bug tracker on May 20, 2026. The reporter later found the issue remained unpatched. Although Google removed the public tracker entry, the report and exploit code remain available through archival sources. The fixes in 148.0.7778.178/179 do not address that disclosure.

To confirm the browser is up to date, open About Chrome; 148.0.7778.179 is listed as the up‑to‑date build for Windows and macOS. If the update does not appear, restarting Chrome or the device and disabling extensions that block updates may be necessary.

WebRTC is a set of browser features used for real‑time audio and video. It uses complex media processing code that can present attack surfaces when memory handling is flawed. The renderer process converts HTML, CSS and JavaScript into the page display; if that process is compromised, an attacker can attempt to manipulate the browser’s interface to collect information.

The update will reach users automatically over several days or weeks. Users who want immediate protection should check About Chrome and restart the browser. Administrators should prioritize testing and deploying the patched builds to reduce exposure across managed machines.