{"id":13234,"date":"2026-05-29T10:03:36","date_gmt":"2026-05-29T10:03:36","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/05\/29\/google-patches-151-vulnerabilities-in-chrome-including-22-critical-ones\/"},"modified":"2026-05-29T10:03:36","modified_gmt":"2026-05-29T10:03:36","slug":"google-patches-151-vulnerabilities-in-chrome-including-22-critical-ones","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/05\/29\/google-patches-151-vulnerabilities-in-chrome-including-22-critical-ones\/","title":{"rendered":"Google Patches 151 Vulnerabilities in Chrome, Including 22 Critical Ones"},"content":{"rendered":"

Google Patches 151 Vulnerabilities in Chrome, Including 22 Critical Ones
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

Google has pushed a major Chrome Stable update<\/a> that fixes 151 security flaws, including 22 critical vulnerabilities affecting core graphics, networking, media, and UI components across Windows, macOS, and Linux.<\/p>\n

The Stable channel has been updated to version 148.0.7778.216\/217 for Windows, 148.0.7778.215\/216 for macOS, and 148.0.7778.215 for Linux, with the rollout scheduled over the coming days and weeks.<\/p>\n

A full list of code changes between builds 148.0.7778.180 and 148.0.7778.217 is available in the Chromium source log. However, Google is restricting detailed bug information until most users receive the patch.<\/p>\n

This staggered disclosure reduces the risk that attackers will weaponize the bugs against unpatched systems.<\/p>\n

Google credits both internal teams and external security researchers for surfacing the issues during the development cycle and notes that many bugs were caught before they ever reached the stable branch.<\/p>\n

The company again highlights its use of sanitizers, fuzzers, and control-flow integrity to detect memory corruption and undefined behavior at scale.<\/p>\n

151 Vulnerabilities Patched in Chrome<\/strong><\/h2>\n

Of the 151 vulnerabilities, 22 are rated critical, and several have already attracted substantial bug bounties.<\/p>\n

Notable externally reported issues include an out-of-bounds write in the GPU process (CVE-2026-9872), use-after-free in Network (CVE-2026-9873), a use-after-free in Dawn (CVE-2026-9874), and an out-of-bounds read in WebGL (CVE-2026-9875), with rewards of up to 43,000 USD per report.<\/p>\n

These flaws could enable sandbox escapes, remote code execution, or data corruption if an attacker can lure a victim to a malicious page.<\/p>\n

The majority of critical fixes, however, come from Google\u2019s own teams and target the graphics and rendering stack<\/a>, including ANGLE, Skia, WebGL, Dawn, XR, Bluetooth, UI, and core browser infrastructure.<\/p>\n

Issues range from use\u2011after\u2011free and heap buffer overflows to integer overflows and insufficient validation of untrusted input, all of which are classic building blocks for reliable exploits in modern browsers.<\/p>\n

Beyond the critical bugs, Google patched <\/a>a large set of high\u2011severity flaws across DOM, Accessibility, Site Isolation, WebCodecs, PDF\/PDFium, WebRTC, Passwords, WebAppInstalls, Media, USB, and more.<\/p>\n

These include additional use\u2011after\u2011free conditions, out\u2011of\u2011bounds reads and writes<\/a>, race conditions, and uninitialized memory use, many of which were reported internally. However, some also credited researchers at Mozilla, Microsoft, OpenAI, and others.<\/p>\n

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
CVE ID<\/th>\nComponent<\/th>\nBug type<\/th>\nReporter<\/th>\nReward<\/th>\n<\/tr>\n<\/thead>\n
CVE-2026-9872<\/strong><\/td>\nGPU<\/td>\nOut of bounds write<\/td>\ncinzinga<\/td>\n43,000 USD<\/td>\n<\/tr>\n
CVE-2026-9873<\/strong><\/td>\nNetwork<\/td>\nUse after free<\/td>\ncinzinga<\/td>\n43,000 USD<\/td>\n<\/tr>\n
CVE-2026-9874<\/strong><\/td>\nDawn<\/td>\nUse after free<\/td>\nAnonymous<\/td>\n11,000 USD<\/td>\n<\/tr>\n
CVE-2026-9875<\/strong><\/td>\nWebGL<\/td>\nOut of bounds read<\/td>\nAnonymous<\/td>\n5,000 USD<\/td>\n<\/tr>\n
CVE-2026-9876<\/strong><\/td>\nWebGL<\/td>\nUse after free<\/td>\nhappy2me<\/td>\nTBD<\/td>\n<\/tr>\n
CVE-2026-9877<\/strong><\/td>\nANGLE<\/td>\nUse after free<\/td>\nGoogle<\/td>\nN\/A<\/td>\n<\/tr>\n
CVE-2026-9878<\/strong><\/td>\nANGLE<\/td>\nUse after free<\/td>\nGoogle<\/td>\nN\/A<\/td>\n<\/tr>\n
CVE-2026-9879<\/strong><\/td>\nANGLE<\/td>\nOut of bounds write<\/td>\nGoogle<\/td>\nN\/A<\/td>\n<\/tr>\n
CVE-2026-9880<\/strong><\/td>\nWebGL<\/td>\nInsufficient validation of untrusted input<\/td>\nGoogle<\/td>\nN\/A<\/td>\n<\/tr>\n
CVE-2026-9881<\/strong><\/td>\nBluetooth<\/td>\nUse after free<\/td>\nGoogle<\/td>\nN\/A<\/td>\n<\/tr>\n
CVE-2026-9882<\/strong><\/td>\nANGLE<\/td>\nInteger overflow<\/td>\nGoogle<\/td>\nN\/A<\/td>\n<\/tr>\n
CVE-2026-9883<\/strong><\/td>\nBase<\/td>\nUse after free<\/td>\nGoogle<\/td>\nN\/A<\/td>\n<\/tr>\n
CVE-2026-9884<\/strong><\/td>\nBrowser<\/td>\nUse after free<\/td>\nGoogle<\/td>\nN\/A<\/td>\n<\/tr>\n
CVE-2026-9885<\/strong><\/td>\nUI<\/td>\nInsufficient validation of untrusted input<\/td>\nGoogle<\/td>\nN\/A<\/td>\n<\/tr>\n
CVE-2026-9886<\/strong><\/td>\nBase<\/td>\nUse after free<\/td>\nGoogle<\/td>\nN\/A<\/td>\n<\/tr>\n
CVE-2026-9887<\/strong><\/td>\nProxy<\/td>\nUse after free<\/td>\nGoogle<\/td>\nN\/A<\/td>\n<\/tr>\n
CVE-2026-9888<\/strong><\/td>\nWebView<\/td>\nUse after free<\/td>\nGoogle<\/td>\nN\/A<\/td>\n<\/tr>\n
CVE-2026-9889<\/strong><\/td>\nDawn<\/td>\nOut of bounds read and write<\/td>\nGoogle<\/td>\nN\/A<\/td>\n<\/tr>\n
CVE-2026-9890<\/strong><\/td>\nXR<\/td>\nUse after free<\/td>\nGoogle<\/td>\nN\/A<\/td>\n<\/tr>\n
CVE-2026-9891<\/strong><\/td>\nExtensions<\/td>\nUse after free<\/td>\nGoogle<\/td>\nN\/A<\/td>\n<\/tr>\n
CVE-2026-9892<\/strong><\/td>\nSkia<\/td>\nInappropriate implementation<\/td>\nGoogle<\/td>\nN\/A<\/td>\n<\/tr>\n
CVE-2026-9893<\/strong><\/td>\nSkia<\/td>\nUse after free<\/td>\nGoogle<\/td>\nN\/A<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Medium\u2011severity vulnerabilities cover further integer overflows and insufficient input validation in components such as ANGLE, Skia, USB, V8, and Headless<\/a>, with smaller but still significant bounties paid out.<\/p>\n

Google notes that many of these bugs were found using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL, reinforcing the role of automated testing in reducing browser attack surface.<\/p>\n

As usual, some bug details will remain private if they also affect widely used third\u2011party libraries that have not yet shipped their own fixes.<\/p>\n

Enterprise defenders and end users are urged to upgrade Chrome to the latest 148.0.7778.x<\/a> Stable build as soon as it becomes available for their platform, or to switch to a faster release channel if they need earlier access to patches.<\/p>\n

Google encourages anyone who discovers new issues to file them via the public bug tracker and to use the Chrome community help forum for support on update and deployment issues.<\/p>\n

Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates.<\/strong><\/p>\n

The post Google Patches 151 Vulnerabilities in Chrome, Including 22 Critical Ones<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Abinaya
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

Google Patches 151 Vulnerabilities in Chrome, Including 22 Critical Ones Google has pushed a major Chrome Stable update that fixes 151 security flaws, including 22 critical vulnerabilities affecting core graphics, networking, media, and UI components across Windows, macOS, and Linux. The Stable channel has been updated to version 148.0.7778.216\/217 for Windows, 148.0.7778.215\/216 for macOS, and […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[768,129,63,648],"tags":[130],"class_list":["post-13234","post","type-post","status-publish","format-standard","hentry","category-chrome","category-cyber-security","category-cyber-security-news","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13234"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=13234"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13234\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=13234"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=13234"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=13234"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}