Google has released Chrome 149 to the stable channel, addressing a significant batch of 429 security vulnerabilities across Windows, macOS, and Linux, including 22 critical flaws that could enable remote code execution, memory corruption, and sandbox escapes.
The update, version 149.0.7827.53/54, is being rolled out gradually and includes fixes across multiple components, including ANGLE, GPU, Network, Ozone, and the Chrome subsystems.
Google Fixes 429 Chrome Vulnerabilities
The majority of the critical vulnerabilities stem from memory safety issues, particularly use-after-free and out-of-bounds read/write conditions, which remain a recurring attack vector in modern browsers.
These flaws can be exploited by attackers through crafted web content, potentially leading to arbitrary code execution within the browser context. Notably, several vulnerabilities impact the GPU and ANGLE components, which are frequently targeted due to their complexity and direct interaction with hardware acceleration layers.
Google has restricted detailed technical disclosures for many of these vulnerabilities until a majority of users receive the update, a standard practice to prevent active exploitation. The vulnerabilities were reported by both external researchers and internal security teams, with bug bounty rewards reaching up to $97,000 for high-impact findings.
From a threat intelligence perspective, vulnerabilities in components such as Network, FileSystem, and Passwords are particularly concerning, as they could facilitate data exfiltration or privilege escalation if chained with other exploits.
Additionally, flaws in Chromecast, Cast Streaming, and Chromoting indicate potential risks in remote streaming and device interaction features, expanding the attack surface beyond traditional browser usage.
Organizations and individual users are strongly advised to update Chrome immediately to mitigate exposure. Given the volume and severity of fixes, this release underscores the continued importance of browser hardening and timely patch management as part of enterprise security strategies.
22 Critical Bugs
| CVE ID | Severity | Vulnerability Type |
|---|---|---|
| CVE-2026-10881 | Critical | Out-of-bounds read/write |
| CVE-2026-10882 | Critical | Use-after-free |
| CVE-2026-10883 | Critical | Out-of-bounds write |
| CVE-2026-10884 | Critical | Use-after-free |
| CVE-2026-10885 | Critical | Use-after-free |
| CVE-2026-10886 | Critical | Use-after-free |
| CVE-2026-10887 | Critical | Use-after-free |
| CVE-2026-10888 | Critical | Use-after-free |
| CVE-2026-10889 | Critical | Out-of-bounds read |
| CVE-2026-10890 | Critical | Use-after-free |
| CVE-2026-10891 | Critical | Use-after-free |
| CVE-2026-10892 | Critical | Out-of-bounds write |
| CVE-2026-10893 | Critical | Use-after-free |
| CVE-2026-10894 | Critical | Use-after-free |
| CVE-2026-10895 | Critical | Use-after-free |
| CVE-2026-10896 | Critical | Use-after-free |
| CVE-2026-10897 | Critical | Out-of-bounds write |
| CVE-2026-10898 | Critical | Stack buffer overflow |
| CVE-2026-10899 | Critical | Use-after-free |
| CVE-2026-10900 | Critical | Use-after-free |
| CVE-2026-10901 | Critical | Use-after-free |
| CVE-2026-10902 | Critical | Use-after-free |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
