On May 6, 2026, Google shipped Chrome 148 to the stable channel, and buried within its more than 100 security fixes is a vulnerability that every Windows user—whether they run Chrome or Edge—needs to take seriously. CVE-2026-7907 is a high-severity use-after-free bug in the browser’s DOM engine, the part that turns HTML and JavaScript into the interactive web pages you use every day. A remote attacker can craft a malicious webpage that, if visited, runs arbitrary code inside the browser’s sandbox. The fix, Chrome 148.0.7778.96 for Linux and 148.0.7778.96 or .97 for Windows and macOS, closes that gap. But because Microsoft Edge is built on the same Chromium foundation, Microsoft’s own Security Response Center (MSRC) has also flagged the flaw. In plain terms: if you use any Chromium-based browser and haven’t restarted it since the update, you’re still exposed.

The fix is in Chrome 148—and in Edge

Google’s advisory is straightforward: any Chrome version earlier than 148.0.7778.96 is vulnerable. The update arrived as part of the regular stable channel release, not an out-of-band emergency push, but that doesn’t make it less urgent. Chrome 148 rolled up over 100 security patches, with CVE-2026-7907 being the most critical single item. The fixed build for Linux is explicitly 148.0.7778.96, while Windows and macOS users may see either .96 or .97, depending on their platform. You can check your version by typing chrome://version in the address bar.

What often gets lost in a “Chrome” CVE is Microsoft’s parallel track. Edge consumes Chromium’s open-source code, so when upstream patches a memory-safety flaw, Microsoft inherits it too. The MSRC entry for CVE-2026-7907 confirms that “the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable.” No separate Edge version number is published in that advisory, but the standard Edge Stable update channel delivers the fix automatically. If your Edge reports a build from mid-May 2026 or later, you’re protected. The real danger is assuming the MSRC notice only matters if you use Edge; it’s the same engine flaw, just packaged differently.

Why “high severity” for a sandboxed bug?

A CVSS score of 8.8 puts this firmly in the “patch now” category. Use-after-free bugs are a classic memory-corruption pattern: a DOM object is freed, but a later operation still refers to that freed memory. If an attacker can control what fills that memory space, the browser can be tricked into executing their code. Because this vulnerability lives in the DOM—the web’s universal execution environment—a malicious HTML page is all it takes. The description notes that “user interaction is required,” but in practice, that’s a click on a link in an email, a visit to a compromised site, or a stray ad load. Modern browser sandboxing does contain the initial code execution to the renderer process, but that’s not a silver bullet. Attackers routinely chain such bugs with sandbox escapes to gain deeper system access. The lack of public exploit code or a known in-the-wild campaign doesn’t lower the urgency; patch reverse-engineering begins the moment the update ships, narrowing the attacker’s timeline.

Who needs to act—and how quickly

Home users on Windows and Mac
If you let Chrome or Edge auto-update, the fix has likely already downloaded. But the browser must be restarted. Open Chrome’s menu ⋮ > Help > About Google Chrome; if it shows 148.0.7778.96 or higher, you’re good. If not, the update will trigger automatically on that page. In Edge, go to edge://settings/help. Close all browser windows and reopen. A visible “Update” button means you waited too long—click it. Every moment the browser runs on an old version is a window of vulnerability.

Enterprise administrators
Browser patching at scale demands more than a help desk ticket. Use these checks immediately:
- Audit Chrome and Edge versions across your fleet via Intune, Configuration Manager, or Defender Vulnerability Management. Filter for builds below 148.0.7778.96.
- Verify that group policies enforce automatic updates and, critically, browser restart deadlines. Chrome’s RelaunchNotification policy and Edge’s equivalent can force a reload after a set grace period.
- Don’t overlook WebView2 runtimes, which embed Chromium into desktop apps. Check the installed WebView2 version and apply the latest from Microsoft if it’s older than the patched Chromium base.
- If you manage Linux endpoints with Chrome, confirm that Google’s official repo is configured (apt/yum) and that the package version matches 148.0.7778.96. Distribution-packaged Chromium may lag; consult your vendor’s security notice.

Linux desktop and server users
For Chrome installed directly from Google: apt list --installed | grep google-chrome-stable or dnf list installed google-chrome-stable. The version string should begin with 148.0.7778. If you use a Chromium snap or flatpak, verify the channel is stable and up to date. Distro-provided Chromium may carry a different package version; check your distribution’s security advisory for the patched build number.

How we got here: a DOM use-after-free, once again

This isn’t a new class of vulnerability. Use-after-free bugs have plagued browsers for over a decade because the DOM is a sprawling, mutable state machine where objects are constantly created and destroyed in response to scripts and user events. The interplay between JavaScript garbage collection and C++ engine code makes lifetime mistakes both common and dangerous. Chromium’s architecture—site isolation, pointer-hardening—raises the bar, but each high-severity memory-safety CVE shows that the attack surface remains large. Google’s own security blog often acknowledges that many of Chrome’s most critical fixes are use-after-free or heap-buffer-overflow issues like this one.

CVE-2026-7907 arrived inside Chrome 148’s security train. That means you’re not just patching one bug; you’re closing dozens of avenues that could be exploited in isolation or together. The industry has made enormous strides: coordinated disclosure, rapid stable-channel updates, and mandatory restart prompts have shrunk the window between patch publication and protection. Yet the weakest link remains the time it takes for a browser process to actually exit and reload with the new build.

Google and Microsoft have both designed their browsers to download updates silently in the background. But until the running process is replaced, the vulnerable code is still executing. In an average workplace, a user might keep a browser open for days, with dozens of tabs and unsaved work. The polite “Update available” chip is easy to ignore. For CVE-2026-7907, that gap could be the difference between a protected endpoint and a foothold for a remote attacker.

For individuals, the answer is stubbornly simple: save your work, note your open tabs, and restart. For IT departments, enforce a deadline. Set Chrome’s RelaunchNotification policy to 2 (force relaunch after a set period) and configure RelaunchNotificationPeriod in milliseconds. Edge’s policies offer similar controls. Without hard enforcement, you’re relying on user goodwill—and security should never depend on that.

The Chromium supply chain means this is never just about Chrome

The MSRC listing for this CVE is a reminder that a single upstream vulnerability can propagate through every Chromium-based product. Edge, Brave, Opera, Vivaldi, and a growing list of Electron apps all consume the same rendering engine. While Google’s advisory focuses on Chrome, Microsoft’s parallel acknowledgment underscores that the fix is equally critical for Edge users. NVD’s CPE data, which sometimes lists only Chrome as an affected product, can mislead vulnerability scanners. Rely instead on vendor advisories and your own version checks.

This incident also highlights the quiet dependency called WebView2. Many line-of-business applications now embed a Chromium-powered web view, and its update cadence doesn’t always match the browser. A patched Edge doesn’t mean a patched WebView2 runtime—and vice versa. Treat WebView2 as a separate component in your patch management workflow.

Outlook: faster patches, faster verification

Google and Microsoft will continue to ship Chromium updates at breakneck speed, and zero-day exploits will occasionally slip through. The operational question for organizations in 2026 is no longer “can we get the patch?” but “can we prove, in near real time, that every running browser process has been refreshed?” Automation, agent-based version reporting, and enforced restart policies are the new table stakes. For home users, it’s simply about forming the habit: when you see that update prompt, restart. The days when you could leave a browser open for weeks without consequences are over.