Google issued an emergency out-of-band patch for Chrome 148 on May 27, 2026, addressing an actively exploited use-after-free vulnerability in Chrome’s CSS engine that enables remote code execution with no user interaction beyond loading a malicious web page. With a CVSS of 9.5 and an EPSS score at the 96th percentile, this is a high-probability exploitation event against any unpatched endpoint. Every enterprise Chrome instance prior to 148.0.7778.96 on Windows, macOS, or Linux is exposed.