Google has released a critical security update for its Chrome browser, addressing multiple high-severity vulnerabilities that could allow attackers to execute arbitrary code on affected systems.
Users are strongly advised to update immediately as several flaws impact core browser components.
The latest Chrome Stable channel has been updated to version 149.0.7827.155/.156 for Windows and macOS, and 149.0.7827.155 for Linux.
The rollout is gradual and will reach users over the coming days and weeks. This release includes 33 security fixes, several of which are rated critical due to their potential for remote code execution (RCE).
Google has restricted detailed technical information for some bugs until the majority of users have installed the update.
Chrome Vulnerabilities Enable Code Execution
Among the patched issues, seven critical vulnerabilities stand out, primarily involving “use-after-free” memory corruption bugs. These flaws can allow attackers to manipulate memory and execute arbitrary code within the browser context.
Key critical vulnerabilities include:
CVE-2026-12437: Use-after-free in WebShare.
CVE-2026-12438: Inappropriate implementation in WebView.
CVE-2026-12439 & CVE-2026-12440: Use-after-free in Digital Credentials.
CVE-2026-12441: Use-after-free in File Input.
CVE-2026-12442: Use-after-free in Passwords.
CVE-2026-12443: Use-after-free in Web Authentication.
Use-after-free vulnerabilities occur when memory is accessed after it has been released, potentially allowing attackers to corrupt memory structures and gain control of the execution flow.
In a real-world scenario, a victim simply visiting a malicious webpage could trigger exploitation without additional interaction. In addition to critical flaws, Google patched numerous high-severity vulnerabilities across components such as WebRTC, Extensions, Safe Browsing, GPU, and File System Access.
Other Notable Vulnerabilities
Heap buffer overflows in WebRTC (CVE-2026-12447, CVE-2026-1246. Out-of-bounds reads in Chromoting and WebRTC.
Multiple use-after-free flaws in Extensions, Media, Downloads, and Browser. Insufficient validation and policy enforcement issues across input handling and extensions.
These vulnerabilities could lead to data leaks, sandbox escapes, or further exploitation chains when combined with other bugs.
| CVE ID | Severity | Component | Vulnerability type | Reporter | Reported date |
|---|---|---|---|---|---|
| CVE-2026-12437 | Critical | WebShare | Use after free | 2026-05-25 | |
| CVE-2026-12438 | Critical | WebView | Inappropriate implementation | 2026-05-27 | |
| CVE-2026-12439 | Critical | Digital Credentials | Use after free | 2026-06-03 | |
| CVE-2026-12440 | Critical | DigitalCredentials | Use after free | 2026-06-03 | |
| CVE-2026-12441 | Critical | File Input | Use after free | 2026-06-05 | |
| CVE-2026-12442 | Critical | Passwords | Use after free | 2026-06-09 | |
| CVE-2026-12443 | Critical | Web Authentication | Use after free | 2026-06-11 | |
| CVE-2026-12444 | High | Chromoting | Out of bounds read | 2026-05-14 | |
| CVE-2026-12445 | High | Extensions | Use after free | 2026-05-14 | |
| CVE-2026-12446 | High | Passwords | Insufficient data validation | 2026-05-14 | |
| CVE-2026-12447 | High | WebRTC | Heap buffer overflow | 2026-05-15 | |
| CVE-2026-12448 | High | WebView | Inappropriate implementation | 2026-05-15 | |
| CVE-2026-12449 | High | Chromoting | Use after free | 2026-05-15 | |
| CVE-2026-12450 | High | Media | Inappropriate implementation | Zhixin Tu | 2026-05-19 |
| CVE-2026-12451 | High | DigitalCredentials | Use after free | 2026-05-19 | |
| CVE-2026-12452 | High | Downloads | Use after free | 2026-05-21 | |
| CVE-2026-12453 | High | Input | Insufficient validation of untrusted input | 2026-05-25 | |
| CVE-2026-12454 | High | Safe Browsing | Race condition | 2026-05-27 | |
| CVE-2026-12455 | High | Tab Strip | Use after free | 2026-05-27 | |
| CVE-2026-12456 | High | Extensions | Insufficient validation of untrusted input | 2026-05-27 | |
| CVE-2026-12457 | High | Extensions | Insufficient data validation | 2026-05-27 | |
| CVE-2026-12458 | High | Passwords | Incorrect security UI | 2026-05-27 | |
| CVE-2026-12459 | High | Serial | Inappropriate implementation | 2026-05-28 | |
| CVE-2026-12460 | High | File System Access | Insufficient policy enforcement | 2026-05-28 | |
| CVE-2026-12461 | High | WebRTC | Out of bounds read | 2026-05-29 | |
| CVE-2026-12462 | High | Media | Use after free | 2026-05-29 | |
| CVE-2026-12463 | High | Views | Inappropriate implementation | 2026-05-30 | |
| CVE-2026-12464 | High | Browser | Use after free | 2026-06-03 | |
| CVE-2026-12465 | High | Metrics | Insufficient validation of untrusted input | 2026-06-05 | |
| CVE-2026-12466 | High | WebRTC | Heap buffer overflow | 2026-06-05 | |
| CVE-2026-12467 | High | Extensions | Use after free | 2026-06-05 | |
| CVE-2026-12468 | High | Updater | Inappropriate implementation | 2026-06-08 | |
| CVE-2026-12469 | High | GPU | Uninitialized use | 2026-06-09 |
Google credits its internal security tools for identifying many of these vulnerabilities, including AddressSanitizer, MemorySanitizer, libFuzzer, and Control Flow Integrity mechanisms.
These tools play a key role in proactively identifying memory safety issues before they are exploited in the wild.
Users and organizations should take immediate action: Update Chrome to the latest version via Settings > About Chrome. Restart the browser to ensure patches are applied.
Monitor enterprise environments for outdated browser versions. Apply defense-in-depth strategies such as endpoint protection and browser isolation.
Given the number of critical memory corruption vulnerabilities, delaying updates significantly increases the risk of exploitation.
CISO & Security Leaders: Your next breach may not have a face. Join ISC2’s LIVE webinar, “Ghost in the Machine”
