Google and Microsoft have patched a use-after-free vulnerability in Chromium’s WebAudio component, tracked as CVE-2026-7980, shipping the fix in Chrome version 148.0.7778.96 and in current Microsoft Edge builds that ingest the corrected Chromium code. The bug allows a remote attacker to execute arbitrary code inside the browser sandbox via a malicious webpage, with no privileges required beyond user interaction. While Chromium’s own severity rating pegs the flaw as “medium,” CISA’s CVSS 3.1 score lands at 8.8—high enough to warrant urgent attention, especially for Windows environments where both Chrome and Edge are deeply woven into daily workflows.
What Changed: Chrome 148 and Edge Lock Down WebAudio
CVE-2026-7980 stems from a memory management mistake in the WebAudio subsystem—a part of the browser that handles real-time audio processing, graphs, and buffer management. When a web page triggers the bug, Chromium may reference memory after it has been freed, potentially allowing an attacker to corrupt process memory and hijack execution flow. The exploit requires a crafted HTML page, which an attacker could deliver via a phishing link, a compromised site, malvertising, or even a malicious document loaded in the browser.
The official fix landed in Chrome’s stable channel on May 6–7, 2026, as version 148.0.7778.96 for Linux and 148.0.7778.96/97 for Windows and macOS. Google noted the update contains security fixes and improvements, with rollout occurring over the following days. Microsoft’s Security Update Guide entry confirms that the latest Microsoft Edge (Chromium-based) builds—specifically those in the 148.0.7778.xxx range—are no longer vulnerable, because Edge consumes the patched upstream Chromium code. No separate Edge-specific code change was needed; the fix is inherited.
Affected products and versions:
- Google Chrome: versions prior to 148.0.7778.96 on all desktop platforms (Windows, macOS, Linux)
- Microsoft Edge: any Chromium-based Edge build older than 148.0.7778.xxx (exact build numbers vary by channel)
- Other Chromium-based browsers (Brave, Vivaldi, Opera, etc.) will need to pick up the same upstream Chromium fix; responsible vendors typically release updates within days.
What It Means for You
The practical impact depends on your role:
For everyday Windows users
If you use Chrome or Edge, check that your browser has updated to the latest version. Both browsers usually auto-update, but the final step requires a relaunch. Look for an “Update” button in the About dialog or a color indicator in the menu. Restart the browser when prompted. Once you’re on the fixed version, the vulnerability is mitigated for normal web browsing. No other action is needed.
Because the bug requires you to visit a malicious page, standard safe-browsing habits help: don’t click unknown links, and be cautious with attachments. But the most important thing is to run a current browser. The sandbox containment means that even if an attacker triggers the flaw, they would need an additional exploit to break out of the sandbox and compromise your PC. Nonetheless, that’s a first foot in the door you don’t want to leave open.
For IT administrators and Windows system managers
This is where the severity disconnect matters most. You may have patching policies that treat “medium” CVEs with lower urgency—allowing weeks-long deployment windows. That would be a mistake here. The browser is an always-online attack surface, exposed to untrusted content every time a user opens a web page. CISA’s 8.8 score reflects low attack complexity and high confidentiality, integrity, and availability impact. Put simply: this is a high-priority fix.
You need to:
1. Ensure managed Chrome installations update to 148.0.7778.96 or newer.
2. Ensure managed Edge deployments reach the fixed 148.0.7778.xxx branch (the exact build will appear in Edge’s About page or via endpoint management reporting).
3. Verify these updates across your fleet—don’t rely on policy alone. Use reporting tools to confirm actual browser versions after restart.
4. Pay special attention to non-traditional endpoints: kiosks, VDI golden images, lab machines, point-of-sale terminals, and any system where browser updates may be frozen or delayed. These often drift far from the current version.
Also, audit your environment for other Chromium-based browsers. If users have installed Brave, Opera, or developer-focused browsers, check that they are receiving updates. Some third-party browsers lag behind Chrome’s release cycle, leaving a gap.
For developers embedding Chromium
If your application uses Electron, CEF, or WebView2 and bundles its own Chromium engine, you must update to a version that includes the fix. Check the Chromium milestone incorporated into your framework and ensure it is at least 148.0.7778.96 or later. Electron, for example, typically updates Chromium in major releases; upgrade promptly if you are on an older line.
How We Got Here: WebAudio’s Complexity and the Patching Pipeline
WebAudio isn’t just for browser games and oscillator demos. It underpins real-time communications, media streaming, and interactive experiences. The API handles delicate timing, callbacks, and object lifetimes—all while processing untrusted content. Mistakes like use-after-free have been a recurring ache for browser engine security.
Chromium’s rapid release cycle is a double-edged sword: it allows Google to ship security fixes quickly, but it also means the window between public patch and widespread adoption is a frantic race. Once Chrome 148 released with the fix, attackers could reverse-engineer the change and craft exploits for unpatched browsers. Organizations that lag behind the automatic rollout on managed endpoints become the low-hanging fruit.
Microsoft’s inclusion of this CVE in its Security Update Guide is a straightforward consequence of Edge being Chromium-based. The advisory makes clear that no additional Edge-specific update is required beyond the normal browser update channel. That’s a plus for admins: you don’t wait for Patch Tuesday. But it also means Edge inherits Chromium’s security calendar, which doesn’t always align with slower Windows update rhythms.
Historically, use-after-free bugs in Chrome have occasionally been chained with other exploits to achieve sandbox escape. While there is no indication that CVE-2026-7980 has been exploited in the wild as of publication, treating it as a low-risk item because it’s “medium” would be shortsighted. Many high-profile browser attacks started with a seemingly mild memory corruption.
What to Do Now: Step-by-Step
For individuals
- Open Chrome’s menu (three dots) → Help → About Google Chrome. The browser will check for updates and display the current version. If it’s below 148.0.7778.96, click “Relaunch” after the update downloads.
- In Edge, go to Settings and more (three dots) → Help and feedback → About Microsoft Edge. The browser checks for updates automatically. Restart if a newer build is installed.
- If you use another Chromium-based browser, open its About dialog similarly. The version number should show Chromium 148.0.7778 or higher. If you’re unsure, search the vendor’s support page for “security update” or “latest release.”
For IT pros
- Deploy the update via policy: In a domain-managed environment, use Group Policy or MDM to force Chrome and Edge to update. Google’s Chrome ADMX templates allow you to set “ForceBrowserSignin” and “AutoUpdateCheckPeriodMinutes,” but the simplest path is to allow automatic updates and set a maximum allowed version if you need to hold back older versions. For Edge, the “AllowMicrosoftUpdate” and “AutoUpdateCheckPeriodMinutes” policies apply.
- Verify the version after restart: Don’t trust the update service alone. Use inventory tools or SCCM/Intune reports to query the browser version across your estate. For Chrome, look at the “chrome_version” property; for Edge, check “Edge_version”. Many third-party patch management solutions can pull this data.
- Address non-updating clients: Machines that are turned off, in sleep, or not checking for updates will remain vulnerable. Set aggressive update deadlines; consider GPO settings like “Update policy override default” to force a check every few hours.
- Watch for Chromium-based apps: Electron apps often ship their own internal Chromium, which won’t update with the system browser. Maintain an inventory of these apps (Slack, Teams, VS Code, etc.) and ensure they get updated. Some enterprise app management platforms can help with this.
Long-tail considerations
- If you run internal web apps that heavily use WebAudio (audio conferencing, transcription, etc.), scan your logs for errors after the update. While unlikely, a change in memory handling could expose latent application bugs.
- Consider enabling site isolation and other sandbox hardening features if you haven’t already. These are not specific to this CVE but raise the bar against sandboxed code execution.
Outlook: The Severity Label Trap
CVE-2026-7980 is a textbook example of why browser patches should be treated with a fast-moving, verify-first approach. Chromium’s “medium” tag may have been reasonable under traditional desktop software assumptions, but browsers inhabit a different risk model. CISA’s high score and the ease of web-based delivery make this an update you should apply within days, not weeks.
The next Chromium memory bug will surface with a new CVE number and a similar debate about severity. Organizations that have already built a rhythm of rapid browser patching, cross-platform inventory, and endpoint verification will sleep easier. Those that depend on labels to triage risk may find themselves reacting too slowly.
For Windows admins, the takeaway is clear: keep Chrome and Edge on the latest stable build, verify it’s actually running, and don’t let the “medium” badge lull you into complacency. The web is too hostile a neighborhood for your users to be browsing with outdated armor.