Cybersecurity NewsArchived May 21, 2026✓ Full text saved
Google has released an urgent security update for Chrome, addressing 16 vulnerabilities including two rated Critical that could allow attackers to execute arbitrary code on affected systems. The Stable channel has been updated to 148.0.7778.178/179 for Windows and Mac, and 148.0.7778.178 for Linux, with the rollout expected to complete over the coming days. Critical Chrome […] The post Critical Chrome Vulnerabilities Enable Remote Code Execution Attacks – Patch Now! appeared first on Cyber Secur
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeChrome
Critical Chrome Vulnerabilities Enable Remote Code Execution Attacks – Patch Now!
By Abinaya
May 21, 2026
Google has released an urgent security update for Chrome, addressing 16 vulnerabilities including two rated Critical that could allow attackers to execute arbitrary code on affected systems.
The Stable channel has been updated to 148.0.7778.178/179 for Windows and Mac, and 148.0.7778.178 for Linux, with the rollout expected to complete over the coming days.
Critical Chrome Vulnerabilities Patched
The two most severe flaws both carry a Critical severity rating and were reported internally by Google on April 20, 2026:
CVE-2026-9111 — A Use-After-Free vulnerability in WebRTC, which could be exploited to corrupt memory and achieve remote code execution through a maliciously crafted web page.
CVE-2026-9110 — An Inappropriate Implementation flaw in the UI layer, which could allow attackers to bypass security restrictions or spoof browser interface elements.
Use-after-free bugs are particularly dangerous because they allow threat actors to manipulate freed memory regions, often leading to full system compromise when successfully chained with other exploits.
High-Severity Vulnerabilities Patched
Beyond the critical bugs, Google patched nine High-severity flaws spanning multiple components:
CVE Type Component Bounty
CVE-2026-9112 Use-After-Free GPU $11,000
CVE-2026-9113 Out-of-Bounds Read GPU $3,000
CVE-2026-9114 Use-After-Free QUIC N/A
CVE-2026-9115 Insufficient Policy Enforcement Service Worker N/A
CVE-2026-9116 Insufficient Policy Enforcement ServiceWorker N/A
CVE-2026-9117 Type Confusion GFX N/A
CVE-2026-9118 Use-After-Free XR N/A
CVE-2026-9119 Heap Buffer Overflow WebRTC N/A
CVE-2026-9120 Use-After-Free WebRTC N/A
CVE-2026-9112 and CVE-2026-9113 were responsibly disclosed by an external researcher identified as c6eed09fc8b174b0f3eebedcceb1e792, earning a combined $14,000 in bug bounties.
Other Medium-Severity Fixes
Google also patched five Medium-severity issues, including out-of-bounds reads in GPU (CVE-2026-9121, CVE-2026-9122 — credited to David Korczynski of Adalogics and the same external researcher), a heap buffer overflow in Chromecast (CVE-2026-9123), insufficient input validation (CVE-2026-9124), and a use-after-free in DOM (CVE-2026-9126).
Mitigations
Google notes that bug details will remain restricted until most users have received the patch, reducing the risk of exploitation during the rollout window.
Users and administrators should take the following steps immediately:
Navigate to chrome://settings/help and confirm the browser version is 148.0.7778.178 or higher
Restart Chrome to apply any pending updates
Enterprise administrators should force-deploy the update via policy management tools
Monitor Chrome release notes and CISA advisories for any active exploitation indicators
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Abinayahttps://cybersecuritynews.com/
Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.
Trending News
Claude Code RCE Flaw Lets Attackers Execute Commands via Malicious Deeplinks
BadIIS Malware Turns Hijacks IIS Servers and Redirect Users to Illicit Sites
Compromised GitHub Action Exfiltrates Workflow Credentials to Attacker Domain
Cisco Catalyst SD-WAN Controller 0-Day Actively Exploited to Gain Admin Access
Critical SEPPmail Gateway Flaws Allow Remote Code Execution and Mail Traffic Theft
Latest News
Cyber Security News
Mini Shai-Hulud Compromises @antv npm Packages to Steal CI/CD Credentials
Cyber Security
Flipper Unveils New Flipper One Modular Linux Cyberdeck
Cyber Security News
P2PInfect Botnet Compromises Kubernetes Clusters Through Exposed Redis Instances
Cyber Security
GitHub Internal Repositories Breached Via Weaponized VS Code Extension
Cyber Security News
Nine-year-old Linux Kernel Vulnerability Let Attackers Exfiltrate SSH Private Keys