Chrome 148 Critical CVE Security Update: Patch Guide

Impact statement: Google Chrome 148.0.7778.167/168 for desktop includes a large May 2026 security update with 79 security fixes, including multiple Critical CVEs such as CVE-2026-8509 through CVE-2026-8522. Several of the fixed bugs are memory-safety issues in browser components that process web pages, media, downloads, payments, files, and device features. For real users, that means a malicious or compromised site could potentially put a workstation at risk before the browser is updated and relaunched.

If your machines handle hosting support, customer files, WordPress admin logins, cPanel or WHM access, billing portals, SSH keys, password managers, or RMM tools, do not treat browser updates as optional. Chrome is one of the most exposed applications on Windows, macOS, Linux, ChromeOS, Android, and iOS systems because it is constantly parsing untrusted internet content.

Who should update?

• Windows 10, Windows 11, and Windows Server workstations that run Google Chrome.
• macOS systems that run Chrome, especially admin and developer machines.
• Linux desktops and support workstations using Chrome from Google’s package repositories.
• ChromeOS and ChromeOS Flex devices once the matching channel update is available.
• Android and iOS devices running Chrome through the Google Play Store or Apple App Store.
• Chromium-based browser fleets such as Microsoft Edge, Brave, Opera, and Vivaldi should watch for their own vendor updates that pull in the same Chromium fixes.

Fixed desktop versions

Google’s Stable Channel update says desktop Chrome was updated to:

• Windows and macOS: Chrome 148.0.7778.167/168.
• Linux: Chrome 148.0.7778.167.

Because Google rolls browser updates over days or weeks, some systems may not receive the update instantly unless you force an update check, use enterprise policy, or deploy through an RMM, MDM, package manager, or software-management platform.

Critical CVEs called out by Google

Google highlighted a long list of fixes. The critical entries in this desktop update include:

• CVE-2026-8509: Heap buffer overflow in WebML.
• CVE-2026-8510: Integer overflow in Skia.
• CVE-2026-8511: Use after free in UI.
• CVE-2026-8512: Use after free in FileSystem.
• CVE-2026-8513: Use after free in Input.
• CVE-2026-8514: Use after free in Aura.
• CVE-2026-8515: Use after free in HID.
• CVE-2026-8516: Insufficient validation of untrusted input in DataTransfer.
• CVE-2026-8517: Object lifecycle issue in WebShare.
• CVE-2026-8518: Use after free in Blink.
• CVE-2026-8519: Integer overflow in ANGLE.
• CVE-2026-8520: Race in Payments.
• CVE-2026-8521: Use after free in Tab Groups.
• CVE-2026-8522: Use after free in Downloads.

Google did not state in this release post that these specific CVEs are known to be exploited in the wild. That does not make them low priority. Browser criticals can move from patch notes to real-world abuse quickly, and Google intentionally keeps many technical details restricted until most users have updated.

How users can update Chrome safely

1. Open Chrome.
2. Go to Menu > Help > About Google Chrome.
3. Let Chrome check for updates.
4. Install the update when offered.
5. Relaunch Chrome.
6. Go back to About Google Chrome and confirm the version is at or above the fixed version for your operating system.

Chrome must be relaunched before the patched browser process is actually in use. Leaving the browser open for days after an update downloads is a common reason machines stay exposed.

Windows admin checklist

• Use Google Chrome Enterprise, Intune, RMM tooling, winget, Chocolatey, PDQ, or your normal software deployment platform to push the update.
• Prioritize admin/support workstations, machines with password managers, billing teams, developer machines, and helpdesk systems that touch customer files.
• Confirm Chrome versions from your inventory platform after reboot or browser relaunch.
• Update Microsoft Edge separately when Microsoft publishes the matching Chromium-based Edge update.
• Check that browser auto-update services are not disabled by old hardening scripts or broken group policy.

Useful Windows checks:

winget upgrade --id Google.Chrome
winget list --id Google.Chrome

For enterprise fleets, prefer your managed deployment and reporting tool over hand-running commands on every workstation.

macOS admin checklist

• Use Jamf, Kandji, Mosyle, Addigy, Munki, or your MDM to deploy Chrome updates.
• Prioritize admin laptops and any machines used for WordPress, WHM, billing, DNS, registrar, or cloud-console access.
• Confirm Chrome has relaunched after the update.
• Review browser extension policy at the same time, especially on machines used by support staff.

Local version check:

/Applications/Google Chrome.app/Contents/MacOS/Google Chrome --version

Linux admin checklist

• Use the package manager tied to your Chrome installation source.
• Confirm users restart Chrome after the package update.
• For shared admin jump boxes, update Chrome and Chromium-based browsers even if they are not your primary browser.

Debian and Ubuntu style systems:

sudo apt update
sudo apt install --only-upgrade google-chrome-stable
google-chrome --version

RHEL, Fedora, AlmaLinux, Rocky Linux, and similar systems:

sudo dnf update google-chrome-stable
google-chrome --version

Android, iPhone, and iPad guidance

• On Android, update Chrome through Google Play and also keep Android System WebView current where your device uses it.
• On iPhone and iPad, update Chrome through the App Store.
• For managed mobile fleets, use MDM compliance rules to require current browser versions.
• Old mobile devices that cannot receive current browser updates should not be used for admin portals, banking, billing, hosting support, or password manager access.

What hosting companies and MSPs should do

This is not just a home-user browser issue. A compromised browser on a support workstation can become a path into hosting panels, customer WordPress sites, DNS records, registrar accounts, payment systems, and remote support tools. For hosting companies and MSPs:

• Patch browsers on support, billing, systems, and developer machines first.
• Require MFA on WHM, cPanel, WordPress, domain registrar, DNS, RMM, Git, and cloud accounts.
• Review recent browser extension installs on admin workstations.
• Make sure password-manager sessions and cloud-console sessions are protected by device trust where possible.
• Tell staff to relaunch Chrome after the update instead of waiting for the next reboot.

Virtual patching and CDN note

A CDN or WAF cannot patch a browser on a user’s machine. The practical edge-side defense is to reduce risky traffic exposure, block known malicious infrastructure where identified, and protect web admin portals with MFA, device checks, VPN, or access challenges. The permanent fix is still to update Chrome and other Chromium-based browsers.

Sources

• Google Chrome Releases: Stable Channel Update for Desktop, May 12, 2026
• NVD: CVE-2026-8509
• NVD: CVE-2026-8521
• Chrome 148 release notes

Fix I.T. Phill note: This article is protect-only. It does not include reproduction details, attack strings, or test cases. Update, relaunch, verify, and tighten access to admin portals.