Critical Chrome Vulnerabilities Enable Remote Code Execution – Immediate Patch Required
What Happened
Google released Chrome 148.0.7778.178/179 updates that remediate two critical, high‑severity CVEs (CVE‑2026‑9111 and CVE‑2026‑9110). Both flaws allow a remote attacker to execute arbitrary code or spoof UI elements simply by delivering a crafted HTML page to a victim’s browser. The patches are rolling out to Windows, macOS, and Linux, but manual updates may be needed to close the window quickly.
Why It Matters for TPRM
- Chrome is the default browser for most enterprise workstations; unpatched versions expose the entire organization to drive‑by RCE attacks.
- UI‑spoofing can harvest credentials from users who believe they are interacting with trusted sites, jeopardizing downstream SaaS and cloud services.
- Vendor‑managed devices (e.g., BYOD, MSP‑controlled endpoints) may lag behind automatic roll‑out, creating uneven risk across the supply chain.
Who Is Affected
- All industries relying on Chrome for web access (finance, healthcare, retail, manufacturing, etc.)
- SaaS providers and cloud platforms whose users access admin consoles via Chrome
- MSPs and IT service vendors that provision or manage end‑user devices
Recommended Actions
- Verify that all corporate Chrome installations are on version 148.0.7778.178/179 or later.
- Enforce automatic browser updates via group policy or endpoint‑management tools.
- Conduct a short‑term scan for indicators of exploitation (e.g., anomalous UI dialogs, unexpected processes).
- Request confirmation from any third‑party vendors that manage employee workstations that the patch has been applied.
Technical Notes
- Attack vector: Remote code execution via malicious HTML pages (WebRTC use‑after‑free on Linux) and UI spoofing after renderer compromise on Windows.
- CVEs: CVE‑2026‑9111 (use‑after‑free in WebRTC, Linux), CVE‑2026‑9110 (UI spoofing on Windows).
- Data types exposed: Potential credential capture, session tokens, and any data entered into spoofed dialogs.
Source: Malwarebytes Labs – Update Chrome now: Critical bugs could let attackers run code