Google pushed a security update for Chrome on May 19, 2026, patching 16 vulnerabilities — including two rated Critical — that could allow an attacker to execute arbitrary code on a victim's machine simply by directing them to a malicious web page. The update to version 148.0.7778.178/179 for Windows and Mac, and 148.0.7778.178 for Linux, is rolling out across desktop platforms over the coming days; users on managed or manually updated systems should not wait for the rollout to reach them.
The urgency is compounded by a separate development that landed the very next day. On May 20, researcher Lyra Rebane's long-unresolved Browser Fetch API vulnerability was accidentally published to the public Chromium bug tracker — complete with working proof-of-concept exploit code. It remains unpatched. That flaw was first reported by Rebane to Chromium developers in late 2022 and has gone more than 42 months without a fix, carrying a Priority 1 urgency rating and a Severity 2 classification in Chromium's internal vulnerability framework. Updating Chrome does not protect against it.
Two Critical Flaws Patched: What Each One Does
The two most severe vulnerabilities in the May 19 update both carry Critical ratings and were reported internally by Google on April 20, 2026, according to Malwarebytes security researcher Pieter Arntz.
CVE-2026-9111 is a use-after-free flaw in WebRTC, Chrome's real-time communication component. Use-after-free bugs occur when a program continues to reference a memory location after it has been freed; in WebRTC, this allowed a remote attacker to execute arbitrary code on a Linux system by luring the user to a specially crafted HTML page. No user interaction beyond visiting the page was required.
CVE-2026-9110 is an inappropriate implementation flaw in Chrome's UI layer on Windows. To exploit it, an attacker would first need to have compromised the browser's renderer process — the internal engine that interprets web content. With that foothold, the flaw enabled UI spoofing: an attacker could make the browser display a fake dialog box or window that appeared completely legitimate, such as a password prompt that appeared to belong to a trusted site while actually sending credentials to attacker infrastructure.
Beyond the two critical flaws, this patch addresses nine high-severity issues and five medium-severity vulnerabilities across multiple Chrome components, for a total of 16 security fixes in this update.
Read more: Google Chrome Users Beware: Update Your Browser Immediately to Avoid Zero-Day Vulnerability
Browser Fetch Vulnerability: Still Unpatched, Exploit Code Now Public
The Browser Fetch API flaw presents a categorically different risk from the two patched CVEs: it is not fixed, and working exploit code is now publicly accessible on internet archival sites after Google accidentally published the vulnerability disclosure on May 20. Google removed the post shortly after, but the code remained findable.
The vulnerability lies in the Browser Fetch API, a browser feature that enables large files — videos, downloads — to continue loading in the background through a mechanism called Service Workers. Rebane discovered that this process can be weaponized to create persistent background tasks that never terminate, maintaining a continuous connection to an attacker-controlled server. A single website visit is sufficient to silently enroll a browser in a limited botnet-style network. In Microsoft Edge specifically, the malicious connection persists even after the browser is closed or the device is rebooted.
Rebane noted that while current capabilities are limited to browser-level actions — monitoring browsing activity and proxying connections — the real danger lies in what a pre-established network of compromised browsers enables: a ready infrastructure that can be leveraged further when additional exploits are identified. Exploitation is "pretty easy," Rebane said, and the attack scales to tens of thousands of affected browsers with no visible indicators to the user.
The flaw affects Chrome, Microsoft Edge, Brave, Opera, and every other browser built on the Chromium codebase. Firefox and Safari, which use separate browser engines, are not affected.
Why Enterprise Environments Face Elevated Risk
Chrome's automatic update model provides reasonable protection for most consumer users. Enterprise environments are a different case. Organizations running managed update cycles or deferred rollouts face a window of exposure between the date Google releases a security update and the date it reaches managed devices through patch management tooling. For the two patched critical flaws, that window closes only after version 148.0.7778.178 or later is deployed and confirmed across endpoints.
The Browser Fetch API flaw presents an exposure that cannot be closed by updating Chrome at all. Until Google issues a dedicated patch, organizations should assess whether their endpoint monitoring can detect unusual background browser processes maintaining persistent outbound connections — the behavioral signature this flaw produces.
Browser-based social engineering attacks, including ClickFix campaigns — which trick users into executing malicious commands by displaying fraudulent browser warnings — continue to make unpatched browser vulnerabilities a high-priority attack surface. Security firm Recorded Future's Insikt Group assessed in March 2026 that ClickFix would "very likely remain a primary initial access vector throughout 2026."
How to Update Chrome Now
Chrome updates automatically when it is relaunched. Users who leave the browser open for extended periods, or whose enterprise environment has delayed the rollout, may be running an unprotected version.
To update manually: click the three-dot menu in Chrome's upper right, navigate to Settings ' About Chrome, and let Chrome check for and download the update. A browser restart completes the installation. Confirm the version number reads 148.0.7778.178 or higher.
Enterprise administrators should push version 148.0.7778.178 or later through their endpoint management tooling and verify deployment before the staged rollout reaches managed devices organically.
Frequently Asked Questions
What does the Chrome security update released May 19, 2026, fix?
The update brings Chrome to version 148.0.7778.178/179 and patches 16 vulnerabilities, including two rated Critical. Both critical flaws — a use-after-free bug in WebRTC and an inappropriate UI implementation on Windows — could allow a remote attacker to execute arbitrary code or spoof browser windows by directing a user to a malicious web page. Neither critical flaw was known to be actively exploited before the patch was released.
What is the Browser Fetch vulnerability and does the Chrome update fix it?
The Browser Fetch vulnerability is an unpatched flaw in the Browser Fetch API, first reported by independent researcher Lyra Rebane in late 2022. It allows a malicious website to enroll a visitor's browser in a persistent background network without any visible indicator to the user. The Chrome update released May 19, 2026 does not fix this flaw. Working proof-of-concept exploit code became publicly available on May 20, 2026, when Google accidentally published the vulnerability disclosure to the Chromium bug tracker.
Is Chrome automatically updated, or do I need to do something?
Chrome updates automatically when the browser is relaunched, but users who leave the browser open continuously, or who are in enterprise environments with managed update cycles, may not receive the update immediately. To manually trigger the update, open the three-dot menu, go to Settings ' About Chrome, and Chrome will check for and install the latest version. A browser restart is required to complete the process.
Does the unpatched Browser Fetch flaw affect Microsoft Edge and other browsers?
Yes. Because Microsoft Edge, Brave, Opera, Vivaldi, and most other modern browsers other than Firefox and Safari are built on the same Chromium codebase, they share the Browser Fetch API vulnerability. Microsoft Edge has an additional exposure: the malicious background connection the flaw creates persists even after the browser is closed or the device is rebooted.
ⓒ 2026 TECHTIMES.com All rights reserved. Do not reproduce without permission.
