Google has pushed a significant security update to Chrome’s Stable channel, upgrading the browser to version 149.0.7827.196/197 on Windows and Mac, and 149.0.7827.196 on Linux.
The update addresses 18 security vulnerabilities, four rated Critical and fourteen rated High severity, and is rolling out progressively over the coming days and weeks.
The most severe fixes in this release target memory corruption issues across core browser components. Three of the four Critical-rated bugs are Use-After-Free (UAF) vulnerabilities, a class of flaws in which a program continues to reference freed memory, potentially enabling attackers to execute arbitrary code or escalate privileges without user interaction.
Critical Vulnerabilities Fixed in Chrome 149
Two of these UAF flaws reside in WebGL (CVE-2026-13028, CVE-2026-13032), a widely used browser API for hardware-accelerated graphics rendering, making them high-value targets given WebGL’s broad attack surface.
A third Critical UAF vulnerability was identified in Autofill (CVE-2026-13038), a sensitive component that handles stored user credentials and payment data.
The fourth Critical flaw, CVE-2026-13033, is an Out-of-Bounds Read in Blink’s InterestGroups implementation, a component tied to Chrome’s Privacy Sandbox APIs. This vulnerability could allow an attacker to read beyond allocated memory boundaries, leaking sensitive data or enabling further exploitation.
CVE-2026-13028 was independently reported by an anonymous researcher on June 7, 2026, while the remaining three Critical CVEs were discovered internally by Google’s security team through proactive research.
High-Severity Vulnerabilities
The fourteen High-severity vulnerabilities expose a wide range of Chrome subsystems, reflecting the browser’s expansive codebase:
| CVE ID | Vulnerability Type | Affected Component |
|---|---|---|
| CVE-2026-13021 | Inappropriate Implementation | DeviceBoundSessionCredentials |
| CVE-2026-13022 | Inappropriate Implementation | Autofill |
| CVE-2026-13023 | Uninitialized Use | GPU |
| CVE-2026-13024 | Insufficient Input Validation | Navigation |
| CVE-2026-13025 | Insufficient Input Validation | DevTools |
| CVE-2026-13026 | Use-After-Free | Digital Credentials |
| CVE-2026-13027 | Use-After-Free | FileSystem |
| CVE-2026-13029 | Use-After-Free | Web Authentication |
| CVE-2026-13030 | Uninitialized Use | GPU |
| CVE-2026-13031 | Use-After-Free | Blink |
| CVE-2026-13034 | Inappropriate Implementation | Passwords |
| CVE-2026-13035 | Use-After-Free | Bluetooth |
| CVE-2026-13036 | Use-After-Free | Blink |
| CVE-2026-13037 | Use-After-Free | WebView |
Notably, eight of the fourteen High-severity bugs are Use-After-Free vulnerabilities, reinforcing a persistent trend of memory safety issues across Chrome’s rendering and platform layers.
Google confirmed that many of the identified bugs were detected using advanced automated tooling, including AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, libFuzzer, and AFL.
Consistent with standard disclosure practices, full bug details remain restricted until a majority of users have received the patch, thereby limiting the window for active exploitation.
Users should update Chrome immediately by navigating to Settings > Help > About Google Chrome and allowing the update to complete. The browser will confirm when it reaches version 149.0.7827.196 or 197.
Given the Critical-severity flaws in WebGL and Autofill components directly tied to web rendering and credential handling enterprise administrators should prioritize forced deployment through managed policies without delay.
Organizations running Chrome in high-privilege or data-sensitive environments face elevated risk if patching is deferred.
No Comment! Be the first one.