Google this week launched a Chrome 148 replace that resolves 79 vulnerabilities, together with 14 critical-severity bugs throughout a number of parts.
The primary crucial subject is a heap buffer overflow in WebML tracked as CVE-2026-8509, for which the web big paid a $43,000 bug bounty.
Google has not shared particulars on the flaw, however its severity ranking and the paid quantity recommend that it may very well be exploited for distant code execution.
The second crucial subject is CVE-2026-8510, an integer overflow weak spot in Skia that earned the reporting researcher a $25,000 reward.
The remaining 12 critical-severity security defects resolved with the newest Chrome refresh have been all found by Google.
They embrace eight use-after-free vulnerabilities in UI, FileSystem, Enter, Aura, HID, Blink, Tab Teams, and Downloads, an inadequate validation of untrusted enter flaw in DataTransfer, an object lifecycle subject in WebShare, an integer overflow bug in ANGLE, and a race situation in Funds.
The Chrome 148 replace additionally resolves 37 high-severity weaknesses, together with a number of use-after-free, out-of-bounds write, heap buffer overflow, inadequate validation of untrusted enter, integer overflow, inadequate coverage enforcement, out-of-bounds learn, and sort confusion defects.
Google says it paid $44,000 in bug bounty rewards for 4 of those flaws (the highest two rewards have been of $25,000 and $10,000). The ultimate quantity is likely to be larger, as the corporate has but to reveal the quantities for a number of different points.
Google makes no point out of any of those points being exploited within the wild.
The newest Chrome iteration is now rolling out as model 148.0.7778.167 for Linux and as variations 148.0.7778.167/168 for Home windows and macOS.
Firefox acquired a security replace as effectively. Its newest iteration, specifically model 150.0.3, resolves 5 high-severity flaws in JIT, WebAssembly, JavaScript Engine, and Profile Backup.
