Chrome 148 includes 127 security fixes, with three critical vulnerabilities: an integer overflow in Blink (CVE-2026-7896) that could lead to heap memory corruption via crafted HTML, and two use-after-free vulnerabilities (CVE-2026-7897 and CVE-2026-7898) affecting Mobile and Chromoting components. Additionally, the release patches over 30 high-severity issues, mostly use-after-free bugs impacting multiple subsystems such as ANGLE, V8, SVG, DOM, GPU, and others. Google has rewarded researchers with substantial bug bounties, including $43,000 for the Blink integer overflow and $55,000 for a V8 out-of-bounds read/write issue. The update is rolled out as version 148.0.7778.96/97 across major desktop platforms and Linux.

The critical vulnerabilities fixed in Chrome 148 could allow remote attackers to cause heap memory corruption or use-after-free conditions, potentially leading to arbitrary code execution or browser compromise if exploited. The high-severity bugs also pose significant risks, including memory corruption and insufficient input validation across multiple browser components. However, there are currently no reports of active exploitation in the wild. The update mitigates these risks by addressing the underlying flaws.

A stable update to Chrome 148.0.7778.96/97 has been released by Google that addresses these critical and high-severity vulnerabilities. Users and administrators should apply this update promptly to ensure protection. Since this is a client-side software update, manual patching is required. There is no indication from the vendor that additional mitigations or workarounds are needed beyond applying the official update.