Update Chrome now: Critical bugs could let attackers run code

[Update Chrome now: Critical bugs could let attackers run code]

Search for:

Have a current computer infection?

Worried it’s a scam?

Try our antivirus with a free, full-featured 14-day trial

Get your free digital security toolkit

Find the right cyberprotection for you

Search for:

Google has issued updates for the Chrome browser patching a number of high‑severity vulnerabilities.

The update includes fixes for two critical vulnerabilities that can be used for remote code execution just by visiting a malicious website.

The stable channel has been updated to 148.0.7778.178/179 for Windows/Mac and 148.0.7778.178 for Linux, which will roll out over the coming weeks.

How to update Chrome

If you don’t want to wait for the rollout to reach you, manually updating is easy.

The easiest way to update is to allow Chrome to update automatically. But you can end up lagging behind if you never close your browser or if something goes wrong, such as an extension preventing the update.

To update manually, click the**More**menu (three dots),then go to**Settings**>**About Chrome**. If an update is available, Chrome will start downloading it. Restart Chrome to complete the update, and you’ll be protected against these vulnerabilities.

Chrome version 148.0.7778.179 is up to date

The update includes fixes for two critical vulnerabilities:

CVE-2026-9111: A use-after-free vulnerability in WebRTC allowed a remote attacker to execute arbitrary code on Linux via a crafted HTML page. Use-after-free is a class of vulnerability caused by incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker may be able to use the error to manipulate the program.

So if an attacker manages to trick a Linux user into opening a malicious HTML file or visit a specially crafted website, they could compromise the device.

CVE-2026-9110: An inappropriate implementation in the UI on Windows allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page.

In practice, this meant that, if an attacker had already taken control of the browser’s internal rendering engine, they could trick the browser into showing you a fake window or dialog box that looked real. This fake window could, for example, make it seem like you were entering your password on a trusted site, even though you were actually giving it to the attacker.

For those that haven’t read about it, since its reporting 46 months ago, the “Browser Fetch” vulnerability remained unknown except to Chromium developers. Then on May 20, 2026, it was published to the Chromium bug tracker. The researcher who initially reported the vulnerability assumedit had finally been fixed. Shortly afterwards, she learned that it remained unpatched. While Google removed the post, it remains available on archival sites, along with the exploit code.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices bydownloading Malwarebytes today.

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences, or your device, and is mostly used to make the site work as you expect. The information does not usually identify you directly, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to learn more and change our default settings. Blocking some types of cookies may impact your experience of the site and the services we are able to offer.