Google released a stable Chrome update on 22 May 2026 that closes a serious hole for anyone browsing on Linux. Version 148.0.7778.178/179 for Windows and Mac, and 148.0.7778.178 for Linux, fixes a use-after-free in WebRTC tracked as CVE-2026-9111 and rated critical.
What actually breaks
WebRTC is the component Chrome uses for in-browser video calls, audio, and real-time data transfer. A use-after-free happens when the program frees a region of memory but keeps references to it. If an attacker manages to place controlled data into that freed memory before the code touches it again, they can redirect execution and end up running their own code.
The severity is straightforward here. There’s no file to open and nothing to install. The victim just has to visit an HTML page crafted to trigger the WebRTC bug. Because the component activates on many sites without asking for explicit permission, the exposure during normal browsing is wide.
Who it affects
CVE-2026-9111 hits Chrome on Linux in any version before 148.0.7778.178. That covers desktop users on distributions like Ubuntu, Debian, Fedora, or Arch who have Chrome installed (not the distro’s Chromium, which runs on its own schedule). Chromium-based browsers that haven’t ported the patch are affected too, though each project moves at its own pace.
The same release fixes CVE-2026-9110, a UI spoofing flaw on Windows that needs the attacker to have already compromised the renderer process. That second one doesn’t touch Linux, but it’s worth keeping in mind if you share machines with Windows.
How serious it is
Google flagged CVE-2026-9111 as critical, its highest rating. The combination of code execution and remote triggering with no interaction beyond visiting a site is what earns that label. At publication time Google did not confirm active exploitation, but use-after-free bugs in browser engines tend to have a short shelf life before exploits appear, so the window to update is narrow.
How to mitigate
Update Chrome now. On Linux, open the menu, go to Settings, then “About Chrome” (chrome://settings/help). The browser checks the version, downloads the patch, and asks you to relaunch to apply it. Afterwards, confirm the version string reads 148.0.7778.178 or higher.
If you manage a fleet of machines, push the update through your deployment system rather than trusting each user to relaunch. And if you run the distro’s Chromium package, watch your distribution’s security advisories: the upstream commit is available, but when the patched package lands depends on each maintainer.
Source
- Malwarebytes — Update Chrome now: Critical bugs could let attackers run code: https://www.malwarebytes.com/blog/bugs/2026/05/update-chrome-now-critical-bugs-could-let-attackers-run-code
- NVD — CVE-2026-9111: https://nvd.nist.gov/vuln/detail/CVE-2026-9111