Chrome 149 Security Update Fixes Critical Flaws That Could Enable Code Execution Attacks
6 min. read 
Published on
Google has released a Chrome 149 security update for Windows, macOS, and Linux, fixing 18 browser vulnerabilities that include four Critical-rated flaws.
The latest Chrome Stable Channel update moves desktop users to version 149.0.7827.196/197 on Windows and Mac, and 149.0.7827.196 on Linux. Google said the update will roll out over the coming days and weeks.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The most serious bugs affect WebGL, Blink InterestGroups, and Autofill. Several of them involve memory-safety problems that can let attackers target Chrome through crafted web content.
Chrome 149 update fixes four Critical vulnerabilities
Google listed four Critical-rated vulnerabilities in this release. Two are use-after-free flaws in WebGL, one is an out-of-bounds read in Blink InterestGroups, and one is a use-after-free flaw in Autofill.
Use-after-free vulnerabilities happen when software continues using memory after it has already released it. Attackers can sometimes abuse that condition to crash a program, corrupt memory, or influence code execution.
Google said access to some bug details may stay restricted until most users receive the fix. The Chromium Security project explains that fixed security bugs are normally tracked through Stable Channel security notes, while sensitive bug details can remain limited before public disclosure.
| CVE | Severity | Vulnerability type | Affected component | Reported by |
|---|---|---|---|---|
| CVE-2026-13028 | Critical | Use after free | WebGL | Anonymous researcher |
| CVE-2026-13032 | Critical | Use after free | WebGL | |
| CVE-2026-13033 | Critical | Out-of-bounds read | Blink InterestGroups | |
| CVE-2026-13038 | Critical | Use after free | Autofill |
Why WebGL and Autofill flaws matter
WebGL is a browser technology used for graphics rendering on the web. Because it interacts closely with graphics processing paths, bugs in this area can create serious browser security risks.
Autofill also has a sensitive role because it handles information users enter into forms. A memory bug in that area can become more dangerous when attackers combine it with crafted pages or other browser weaknesses.
The HKCERT security bulletin said remote attackers could exploit some of the Chrome vulnerabilities to trigger denial of service, remote code execution, and security restriction bypass on targeted systems.
Fourteen High-severity Chrome bugs were also patched
The same Chrome 149 update fixes fourteen High-severity bugs across DeviceBoundSessionCredentials, Autofill, GPU, Navigation, DevTools, Digital Credentials, FileSystem, Web Authentication, Blink, Passwords, Bluetooth, and WebView.
Many of these bugs are use-after-free, uninitialized use, insufficient input validation, or inappropriate implementation issues. Those categories often point to memory handling mistakes or logic errors in complex browser components.
The Chrome release notes show that most of the High-severity flaws were reported internally by Google during May and June 2026.
| CVE | Severity | Issue | Component |
|---|---|---|---|
| CVE-2026-13021 | High | Inappropriate implementation | DeviceBoundSessionCredentials |
| CVE-2026-13022 | High | Inappropriate implementation | Autofill |
| CVE-2026-13023 | High | Uninitialized use | GPU |
| CVE-2026-13024 | High | Insufficient input validation | Navigation |
| CVE-2026-13025 | High | Insufficient input validation | DevTools |
| CVE-2026-13026 | High | Use after free | Digital Credentials |
| CVE-2026-13027 | High | Use after free | FileSystem |
| CVE-2026-13029 | High | Use after free | Web Authentication |
| CVE-2026-13030 | High | Uninitialized use | GPU |
| CVE-2026-13031 | High | Use after free | Blink |
| CVE-2026-13034 | High | Inappropriate implementation | Passwords |
| CVE-2026-13035 | High | Use after free | Bluetooth |
| CVE-2026-13036 | High | Use after free | Blink |
| CVE-2026-13037 | High | Use after free | WebView |
Google keeps some technical details restricted
Google commonly limits public access to vulnerability details until most users have updated. That reduces the chance that attackers can quickly build reliable exploit code from the advisory itself.
The company also credits internal tools such as AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL for helping detect many security bugs before release.
The Chromium security team says its work includes finding and fixing security bugs, improving secure architecture, helping developers build safer apps, and reviewing security risks across the Chromium project.
How to update Chrome on desktop
Most consumer Chrome installations update automatically. Users can still force a manual check by opening Chrome, going to Settings, choosing Help, and then selecting About Google Chrome.
Enterprise administrators should verify that update policies allow Chrome to receive urgent security patches. Google’s Chrome Enterprise update guidance recommends automatic updates so users receive critical security fixes as they become available.
Administrators who manage Windows devices through Group Policy should also check whether Chrome updates have been disabled or delayed. Google’s Windows update management guide recommends keeping auto-updates turned on for Chrome browser and Google Update-managed apps.
- Windows and Mac users should update to Chrome 149.0.7827.196/197 or later.
- Linux users should update to Chrome 149.0.7827.196 or later.
- Managed environments should confirm that Chrome update policies allow security updates.
- Users should restart Chrome after the update completes.
- Admins should prioritize devices used for email, banking, cloud dashboards, and privileged workflows.
Why enterprises should not delay this patch
Browser vulnerabilities can move quickly from patch notes to exploit attempts once enough technical information becomes available. Chrome is also a high-value target because it sits between users and sensitive web accounts.
The HKCERT advisory lists affected versions as Chrome prior to 149.0.7827.196 on Linux and prior to 149.0.7827.196/197 on Windows and Mac.
Google’s Chrome Enterprise Core documentation also notes that minor updates, including security fixes and software updates, arrive between full browser releases. That makes update monitoring important even when major versions appear current.
What Chrome users should do now
Individual users should install the update and restart the browser. The browser may show that an update has downloaded, but the fix does not fully apply until Chrome restarts.
Business users should ask IT teams to confirm rollout status across all managed endpoints. A device that remains one or two builds behind can still carry known browser vulnerabilities.
Organizations that use Group Policy can review the Chrome update policy settings to confirm that updates remain enabled, that version pinning does not block the fix, and that update delays do not leave users exposed for longer than necessary.
FAQ
Google fixed the latest Chrome 149 desktop vulnerabilities in version 149.0.7827.196/197 for Windows and Mac, and version 149.0.7827.196 for Linux.
Google listed 18 security fixes in the Chrome 149 desktop update. Four were rated Critical, while fourteen were rated High severity.
The Critical vulnerabilities affected WebGL, Blink InterestGroups, and Autofill. The WebGL and Autofill flaws were use-after-free bugs, while the Blink InterestGroups flaw was an out-of-bounds read issue.
Google’s June 23, 2026 advisory does not say that these specific vulnerabilities are being actively exploited in the wild. Users should still update quickly because technical details may become public later.
Open Chrome, go to Settings, select Help, and then choose About Google Chrome. Chrome will check for updates automatically. Restart the browser after the update installs.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages