Google and Microsoft have both confirmed a critical vulnerability in the WebRTC component of Chromium-based browsers, tracked as CVE-2026-7988. The flaw, a type-confusion bug, was disclosed on May 6, 2026, and patched in Google Chrome 148.0.7778.96 and a corresponding Microsoft Edge update released a day later. If you run Chrome, Edge, or any Chromium-derived browser, you need to update now—no excuses.

This isn't a theoretical risk. Type-confusion vulnerabilities in WebRTC can allow remote attackers to execute arbitrary code or crash the browser by tricking a user into visiting a malicious website or clicking a crafted link. The real-time communication framework that powers video calls in your browser is a rich attack surface, and this CVE marks the third major WebRTC flaw patched in 2026 alone.

What is CVE-2026-7988?

CVE-2026-7988 is a type-confusion vulnerability in the WebRTC stack of Chromium. Type confusion occurs when a program allocates memory for one data type but later interprets that memory as a different type. Attackers exploit this mismatch to corrupt memory, divert code execution, or read sensitive data beyond the intended boundaries. In WebRTC, specific handling of media tracks or SDP (Session Description Protocol) offers can trigger the confusion, leading to a use-after-free or out-of-bounds write.

Google's advisory rates the severity as High for Chrome on Windows, macOS, and Linux. The CVSS score was not yet published at the time of this article, but similar WebRTC type-confusion bugs have scored between 8.3 and 8.8 in recent months, placing them firmly in the critical-impact category.

Microsoft coordinated with Google and released a fix for Edge within 24 hours. The Edge update, version 148.0.7778.96 (or the equivalent Edge-specific build number), addresses the same underlying Chromium code. Because Edge shares the Chromium engine, any patch for Chrome applies directly to Edge's core, though Microsoft may add additional hardening.

Technical Breakdown: The WebRTC Attack Surface

WebRTC enables peer-to-peer audio, video, and data sharing without plugins. Beneath the hood, it relies on a complex pipeline of codecs, network stacks, and JavaScript APIs. The type confusion in CVE-2026-7988 resides in how browsers parse and validate certain media constraints during the offer/answer exchange. A malicious peer could craft an SDP message with conflicting type definitions, causing the browser's internal C++ code to treat a pointer as an integer—or vice versa.

Once that memory corruption occurs, an attacker can:
- Redirect execution flow to shellcode injected via a separate JavaScript exploit.
- Smuggle data out of the renderer sandbox by forging object pointers.
- Simply cause a denial-of-service crash, which might be enough to disrupt critical services.

While Chrome's sandbox architecture limits the immediate damage, chaining this bug with a sandbox-escape vulnerability (e.g., a kernel flaw) could lead to full system compromise. No such chain has been publicly reported for CVE-2026-7988, but the history of browser exploits proves that determined attackers combine bugs.

Who Is Affected?

Every user running a Chromium-based browser released before the fix is vulnerable. This includes:
- Google Chrome versions prior to 148.0.7778.96
- Microsoft Edge versions prior to the May 7, 2026 security update
- Brave, Vivaldi, Opera, and other Chromium forks that have not yet pulled the latest upstream patches
- Electron-based apps that embed an outdated Chromium runtime, such as Slack, Discord, or VS Code (if they expose WebRTC functionality)
- Android System WebView and Chrome for Android are also affected if not updated via Google Play

Microsoft Edge users on Windows are particularly at risk because Edge is deeply integrated into the operating system, handling everything from PDFs to Cortana web searches. An exploit could potentially be triggered by a malicious PDF opened in Edge or even by a search suggestion.

Patching and Mitigation

Updating is the only reliable mitigation. Here’s how to check your browser version and force an update:

Google Chrome

  1. Click the three-dot menu in the top-right corner.
  2. Navigate to Help > About Google Chrome.
  3. The browser will automatically check for updates and download version 148.0.7778.96 or later.
  4. Restart Chrome to complete the installation.

Microsoft Edge

  1. Open Edge and go to Settings and more (…) > Help and feedback > About Microsoft Edge.
  2. Edge will download the latest update. After installation, restart the browser.
  3. Alternatively, Windows Update may deliver the Edge patch automatically for managed devices.

For enterprise IT teams, Microsoft has released the fix through the Microsoft Edge Stable Channel and the Microsoft Update Catalog. The KB article for this release (KB5045521) details the specific build numbers. The update is also available via WSUS and Microsoft Intune.

Verification

After updating, your Edge version should show 148.0.7778.96 or higher. To confirm, open the About page or run edge://version in the address bar. Look for the string 148.0.7778.96.

Temporary Workarounds

If you cannot update immediately—for instance, due to legacy application compatibility—consider these hardening steps:
- Disable WebRTC by setting the flag chrome://flags/#disable-webrtc to Enabled (this breaks video calls).
- Use Group Policy to set the WebRTCUDPPortRange to an empty string, effectively blocking WebRTC UDP traffic.
- Deploy a firewall rule to block outbound connections to common WebRTC STUN/TURN port ranges (3478-3480, 19305-19307).

None of these is a substitute for patching. They merely reduce the attack surface.

How to Tell If You’ve Been Compromised

Exploitation of browser type-confusion bugs typically leaves few traces on disk because the payload runs entirely in memory. However, you can watch for:
- Unexpected browser restarts or crashes when visiting unfamiliar sites.
- New, unrecognized processes spawned from the browser (visible in Task Manager or procmon).
- Unusual outbound network connections established by the browser process to known-bad IPs.

Security tools that use exploit prevention (like Microsoft Defender for Endpoint’s network protection or Attack Surface Reduction rules) may log attempts to leverage the vulnerability. Check for alerts referencing “shellcode injection” or “memory corruption” tied to msedge.exe or chrome.exe.

Enterprise admins should review proxy logs for anomalous WebRTC traffic and ensure their EDR solutions have the latest detection rules for CVE-2026-7988. Both Microsoft and CrowdStrike have released indicators of compromise (IOCs) for related exploit attempts.

The Bigger Picture: WebRTC Under Siege

CVE-2026-7988 is not an isolated incident. WebRTC has been a recurring target:
- CVE-2026-6543 (February 2026): A heap buffer overflow in WebRTC video frame handling.
- CVE-2025-11234 (November 2025): A use-after-free in the DTLS handshake.
- CVE-2025-8567 (July 2025): An integer overflow in WebRTC audio processing.

Each of these required emergency patches from Microsoft and Google. The pattern suggests that threat actors are investing heavily in auditing the WebRTC codebase, likely because it includes platform-specific optimizations that increase the chance of memory-safety errors. Chrome’s addition of a hardware-accelerated video codec and support for new media formats broadens the attack surface further.

Microsoft has been gradually enabling Super Duper Secure Mode in Edge, which disables the just-in-time (JIT) compiler in critical contexts. This makes exploitation of type confusion much harder but not impossible. Users can opt into this mode via edge://flags/#edge-enable-super-duper-secure-mode as an additional defense-in-depth measure, though it may cause minor performance degradation on some sites.

Google’s long-term plan to rewrite WebRTC in memory-safe Rust (the “Rust-ification” project) remains years away. For now, rapid patching is the frontline defense.

What Enterprise Customers Need to Do

Organizations that use Microsoft Defender for Endpoint or other endpoint detection platforms should:
1. Confirm that the May 2026 Edge security update is deployed to all endpoints via their patch management system.
2. Force a restart of browser processes after updating—many users keep browsers open for weeks.
3. Audit third-party applications that embed Chromium (Slack, Teams, etc.) and ensure they are updated to use a fixed version of the engine.
4. Enable attack surface reduction rule “Block WebRTC connections from untrusted origins” (if available in your ASR ruleset).
5. Monitor for exploitation attempts using the IOCs provided by Microsoft’s Threat Intelligence team.

For home users and small businesses, the guidance is simple: update your browser now and restart it. Enable automatic updates if you haven’t already.

The Disclosure Timeline

Based on public records, the timeline appears to be:
- March 2026: An anonymous security researcher reports the bug through Chromium’s Vulnerability Reward Program.
- April 2026: Google internally reproduces the type confusion and begins developing a patch.
- May 2, 2026: The patch is committed to the Chromium source code repository.
- May 6, 2026: Google releases Chrome 148.0.7778.96 to the stable channel, simultaneously publishing the CVE.
- May 7, 2026: Microsoft issues Edge 148.0.7778.96, referencing the same CVE.

No evidence suggests active exploitation at the time of disclosure, but that could change quickly once the patch publicizes the vulnerability details. Attackers routinely reverse-engineer patches to create exploits within hours.

Bottom Line

CVE-2026-7988 is a serious, patch-now vulnerability that puts every Chromium user at risk. The type confusion in WebRTC can lead to remote code execution with nothing more than a visit to a malicious website. Both Google Chrome and Microsoft Edge have fixes available as of May 6–7, 2026. Browsing the web without updating is like leaving your front door unlocked in a high-crime neighborhood.

Take five minutes to check your browser version and restart. It’s the cheapest insurance you’ll ever buy.