CHROME 148 has been promoted to the stable channel with 127 security fixes, including three for critical-severity vulnerabilities. The first critical flaw is an integer overflow issue in Blink, tracked as CVE-2026-7896, which could allow remote attackers to exploit heap memory corruption via a crafted HTML page; according to Google’s advisory, a $43,000 bug bounty reward was paid to the researcher who reported the flaw in mid-March.
The other two critical-severity defects, both use-after-free weaknesses, are CVE-2026-7897 and CVE-2026-7898, affecting the Mobile and Chromoting components and found by Google. Chrome 148 also includes patches for over 30 high-severity vulnerabilities and more than 60 medium-severity flaws, with a highest bounty paid for an out-of-bounds read and write issue in the V8 JavaScript engine, Project WhatForLunch receiving a $55.000 reward for the finding.
While most vulnerabilities were discovered by Google, the company notes it has paid $138,000 in bug bounty rewards to external researchers, with final totals likely higher as some payments are yet to be disclosed. The update is rolling out as version 148.0.7778.96 for Linux and 148.0.7778.96/97 for Windows and macOS.