Google Chrome Update Fixes 27 Security Bugs That Could Allow Code Execution

Google has released a Chrome security update that fixes 27 vulnerabilities in the desktop browser, including five critical flaws that could let attackers execute malicious code through crafted web content. The fixes were detailed in the company’s Chrome release notes for June 11.

The update moved Chrome to version 149.0.7827.114/.115 on Windows and macOS, and 149.0.7827.114 on Linux. Google said the rollout would reach users over the following days and weeks.

Users should also know that Google has since issued a newer June 16 Chrome update, which brings the Stable channel to 149.0.7827.155/.156 on Windows and macOS, and 149.0.7827.155 on Linux. That means the safest option is to install the latest available Chrome version now.

Critical Chrome flaws affect Core, GPU, WebMIDI, and more

The June 11 update fixed five critical vulnerabilities. These include use-after-free bugs in Core, DigitalCredentials, and WebMIDI, a heap buffer overflow in GPU, and insufficient validation of untrusted input in Accessibility.

One of the critical flaws, CVE-2026-12007, affects Chrome on Windows before version 149.0.7827.115. NVD describes it as a use-after-free issue in Core that could allow a remote attacker to execute arbitrary code through a crafted HTML page.

These bugs are serious because browsers process untrusted content all day. A malicious website, compromised page, or poisoned ad could potentially deliver crafted content to a vulnerable browser.

CVE	Severity	Chrome component	Issue type
CVE-2026-12007	Critical	Core	Use after free
CVE-2026-12008	Critical	DigitalCredentials	Use after free
CVE-2026-12009	Critical	Accessibility	Insufficient validation of untrusted input
CVE-2026-12010	Critical	GPU	Heap buffer overflow
CVE-2026-12011	Critical	WebMIDI	Use after free

High-severity bugs also hit Network, Autofill, GPU, and Video

The same update also fixed many high-severity issues across Chrome components such as Network, Cast, Autofill, DevTools, Extensions, Mojo, Codecs, Safe Browsing, GPU, Video, Headless, Passwords, VideoCapture, Linux Toolkit Theming, and Views.

Several of these bugs involve memory corruption, including use-after-free issues, out-of-bounds reads or writes, and heap buffer overflows. These flaw types often matter because attackers can sometimes chain them with other bugs to escape browser protections or gain deeper access.

Google’s June 11 Stable channel update does not say that any of the 27 fixed issues were being actively exploited at the time of release. However, the company kept some technical bug details restricted until most users installed the update.

Why Google limits vulnerability details after Chrome patches

Google commonly restricts bug details and links until most users receive a fix. This slows down attackers who try to reverse engineer patches and build working exploits before users and businesses update their systems.

The NVD entry for CVE-2026-12007 lists a CISA-ADP CVSS 3.1 score of 8.8 and says exploitation was marked as none in the SSVC data available for that entry. That does not make patching optional, because exploit status can change quickly after public disclosure.

The risk is higher for organizations with many unmanaged browsers, users who delay restarts, or systems that run Chrome-based workflows all day. Browser patches only protect users after the update installs and Chrome relaunches.

Chrome users should install the latest Stable update

Chrome normally updates automatically, but the browser often needs a restart to finish installing a new version. Users can manually check by opening Chrome, going to Help, and selecting About Google Chrome, as explained on Google’s Chrome update support page.

Organizations should push the newest Stable release through their browser management tools and confirm that endpoints have restarted Chrome. A browser that downloaded an update but has not relaunched may still run the older vulnerable version.

• Open Chrome on Windows, macOS, or Linux.
• Select the three-dot menu in the top-right corner.
• Go to Help and then About Google Chrome.
• Let Chrome check for updates.
• Select Relaunch if Chrome asks for it.

Businesses should prioritize managed browser patching

Security teams should verify browser versions across desktops, laptops, VDI images, kiosk systems, and developer workstations. Chrome is often a primary attack surface because it handles email links, web apps, downloads, documents, and authentication sessions.

Admins should compare their deployed version against the latest Chrome Stable channel release, not only the June 11 build. This matters because the June 16 update includes another 33 security fixes.

Companies should also remind users not to ignore the Relaunch button. Google’s Chrome update instructions make clear that Chrome may need a restart before the update takes effect.

Action	Why it matters
Update Chrome to the latest Stable build	Applies the newest browser security fixes.
Restart Chrome after updating	Activates the installed patch.
Check managed endpoints	Finds systems stuck on older vulnerable builds.
Monitor browser crashes and exploit alerts	Helps detect attempts to abuse memory corruption bugs.
Keep extensions under review	Reduces exposure from risky browser add-ons and permissions.

The main takeaway is straightforward: Chrome users should update immediately and relaunch the browser. The June 11 update fixed critical code execution risks, and the newer June 16 build adds more security fixes that users should not delay.

FAQ