Chrome 149 Update Fixes 429 Security Issues, but Users Should Install the Newer Zero-Day Patch
8 min. read 
Published on
Google recently shipped one of Chrome’s largest security updates of the year, fixing 429 security issues in Chrome 149. The release included 22 critical vulnerabilities across components such as ANGLE, Network, GPU, Ozone, Passwords, Printing, Chromecast, Cast Streaming, Chromoting, FileSystem, and Chrome for iOS.
Users should update Chrome immediately, but they should not stop at the first Chrome 149 build. Google followed the 429-fix release with a newer Chrome 149 update on June 8 that fixes 74 additional security issues, including an actively exploited V8 vulnerability tracked as CVE-2026-11645.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The original Chrome 149 Stable Channel update promoted version 149.0.7827.53 for Linux and 149.0.7827.53/54 for Windows and Mac. The newer June 8 Chrome Stable Channel update moved desktop users to 149.0.7827.102/.103 for Windows and Mac, and 149.0.7827.102 for Linux.
Chrome 149 patched 429 security issues in its first stable release
Google said the first Chrome 149 stable build included 429 security fixes. The company highlighted externally reported flaws, while keeping some bug details and links restricted until most users receive the update.
The biggest concern in that release was the number of critical memory-safety vulnerabilities. These included out-of-bounds read and write flaws in ANGLE, use-after-free bugs in several browser components, and GPU-related memory corruption issues.
One of the most notable issues was CVE-2026-10881, an ANGLE out-of-bounds read and write vulnerability. NVD says the flaw affected Chrome before 149.0.7827.53 and could let a remote attacker who uses a crafted HTML page potentially perform a sandbox escape.
| Release | Chrome versions | Main security point |
|---|---|---|
| June 2, 2026 | 149.0.7827.53 on Linux, 149.0.7827.53/54 on Windows and Mac | 429 security fixes, including 22 critical issues |
| June 8, 2026 | 149.0.7827.102/.103 on Windows and Mac, 149.0.7827.102 on Linux | 74 more security fixes, including exploited CVE-2026-11645 |
The critical flaws hit major Chrome components
The 22 critical issues in the first Chrome 149 release affected many parts of the browser. Several involved use-after-free bugs, a memory corruption class that can become dangerous when attackers combine it with a crafted webpage or a broader exploit chain.
Other critical bugs involved out-of-bounds reads and writes in ANGLE and GPU components. ANGLE is important because it helps Chrome translate graphics workloads across different graphics APIs and platforms.
The critical list also included Passwords, Ozone, Printing, Cast, Cast Streaming, Chromecast, Chromoting, FileSystem, GFX, Network, and Chrome for iOS. That range matters because Chrome is not only a browser engine. It also handles password storage, authentication flows, printing, remote access, media, graphics, and device integration.
| CVE | Component | Bug class |
|---|---|---|
| CVE-2026-10881 | ANGLE | Out-of-bounds read and write |
| CVE-2026-10882 | Network | Use-after-free |
| CVE-2026-10883 | ANGLE | Out-of-bounds write |
| CVE-2026-10884 | Chromecast | Use-after-free |
| CVE-2026-10885 | Chrome for iOS | Use-after-free |
| CVE-2026-10886 | FileSystem | Use-after-free |
| CVE-2026-10887 | Chromoting | Use-after-free |
| CVE-2026-10888 | Cast Streaming | Use-after-free |
| CVE-2026-10889 | ANGLE | Out-of-bounds read |
| CVE-2026-10890 | Cast | Use-after-free |
| CVE-2026-10891 | GFX | Use-after-free |
| CVE-2026-10892 | GPU | Out-of-bounds write |
| CVE-2026-10893 | Chromoting | Use-after-free |
| CVE-2026-10894 | Printing | Use-after-free |
| CVE-2026-10895 | Ozone | Use-after-free |
| CVE-2026-10896 | Chrome for iOS | Use-after-free |
| CVE-2026-10897 | GPU | Out-of-bounds write |
| CVE-2026-10898 | GPU | Stack buffer overflow |
| CVE-2026-10899 | Ozone | Use-after-free |
| CVE-2026-10900 | Passwords | Use-after-free |
| CVE-2026-10901 | Passwords | Use-after-free |
| CVE-2026-10902 | Ozone | Use-after-free |
The newer Chrome update fixes an exploited V8 zero-day
The June 8 update makes the situation more urgent. Google said the release includes 74 security fixes and confirmed that an exploit exists in the wild for CVE-2026-11645.
The CVE-2026-11645 entry describes the flaw as an out-of-bounds read and write issue in V8, Chrome’s JavaScript and WebAssembly engine. According to NVD, Chrome versions before 149.0.7827.103 could allow a remote attacker to execute arbitrary code inside the browser sandbox through a crafted HTML page.
NVD also lists the flaw in CISA’s Known Exploited Vulnerabilities catalog, with a June 23, 2026 remediation due date for covered U.S. federal civilian agencies. That does not mean only federal agencies should act. Any user or organization running an older Chrome 149 build should update now.
- The 429-fix Chrome 149 release addressed a broad set of critical and high-severity flaws.
- The newer Chrome 149 update fixed 74 more security issues.
- CVE-2026-11645 affects V8 and has exploit activity in the wild.
- Users should check for the newest Chrome 149 build instead of assuming 149.0.7827.53 is enough.
- Organizations should verify update coverage across Windows, macOS, Linux, and managed browser fleets.
Why browser patches matter for everyday users and enterprises
Browser vulnerabilities can become entry points for account theft, malware delivery, spyware activity, or larger intrusion chains. Chrome processes untrusted web content every day, so flaws in V8, graphics, GPU, WebRTC, Password Manager, Autofill, and networking components deserve fast attention.
Google limits technical details for many Chrome bugs until updates reach most users. That approach reduces the risk that attackers can quickly turn newly disclosed bug details into working exploits before users patch.
For enterprises, the risk extends beyond browsing. Chrome often connects users to email, SaaS dashboards, identity portals, cloud control panels, customer data, developer tools, and internal apps. A browser compromise can therefore affect much more than a single web session.
How to update Chrome on Windows, Mac, and Linux
Google says Chrome can update automatically when a new version is available, but users still need to relaunch the browser to apply many updates. The official Chrome update instructions tell desktop users to open Chrome, go to the three-dot menu, select Help, open About Google Chrome, and then relaunch if an update is available.
Users can also type chrome://settings/help in the address bar. Chrome will check for updates on that page and show the installed version number under the Google Chrome heading.
After the browser relaunches, Windows and Linux users should look for version 149.0.7827.102 or later. Mac users should look for version 149.0.7827.103 or later.
| Platform | Patched Chrome 149 version from the June 8 update |
|---|---|
| Windows | 149.0.7827.102 or 149.0.7827.103 |
| macOS | 149.0.7827.103 |
| Linux | 149.0.7827.102 |
IT admins should verify policy and fleet coverage
Managed environments need more than a simple user alert. IT teams should confirm that Google Update policies allow updates, make sure update deferrals do not block the security release, and verify the installed version across all managed endpoints.
Google’s Chrome Enterprise update guidance says Windows administrators can manage Chrome browser updates through Google Update and Group Policy. It also warns that turning off browser updates prevents software fixes and security patches from being applied.
Admins should pay special attention to devices pinned to older versions, shared machines that rarely restart, virtual desktops, kiosks, and unmanaged BYOD devices that access business apps.
- Check Chrome versions through device management tools and endpoint inventory.
- Confirm that update policies allow Chrome to move to the newest 149 build.
- Ask users to relaunch Chrome after the update downloads.
- Review logs for browser crashes, suspicious renderer activity, and unexplained redirects.
- Prioritize systems used for email, finance, admin panels, identity management, and cloud consoles.
Chrome 149.0.7827.53 was important, but it is not the final stop
The first Chrome 149 release deserves attention because it fixed 429 security issues and included 22 critical CVEs. However, the later Chrome 149.0.7827.102/.103 update matters more for users today because it includes the actively exploited V8 fix.
Security teams should also track high-risk issues from the earlier release, including NVD’s CVE-2026-10881 record, because those details may become more useful to attackers as bug restrictions lift.
For home users, the safest action is simple: open About Google Chrome, install the update, and relaunch the browser. For organizations, the safer approach is to enforce updates, measure deployment, and investigate systems that remain below the patched build.
Google’s desktop update guide and enterprise update documentation both point to the same conclusion: Chrome security fixes only protect users after the browser updates and restarts.
The update should be treated as urgent, especially on systems used for work accounts, password management, payments, cryptocurrency, webmail, or cloud administration. An exploited browser bug can move quickly from a malicious webpage to account compromise if users delay patching.
FAQ
Google’s first Chrome 149 stable release fixed 429 security issues, including 22 critical vulnerabilities. Google later released another Chrome 149 update on June 8, 2026 with 74 additional security fixes.
For the June 8 Chrome 149 security update, Windows and Linux users should be on Chrome 149.0.7827.102 or later, while Mac users should be on Chrome 149.0.7827.103 or later.
CVE-2026-11645 is a high-severity out-of-bounds read and write vulnerability in Chrome’s V8 JavaScript and WebAssembly engine. Google says an exploit for this vulnerability exists in the wild.
No. Chrome 149.0.7827.53 fixed many vulnerabilities, but Google has since released a newer Chrome 149 build with more security fixes, including an actively exploited V8 flaw. Users should install the latest available Chrome update.
Open Chrome, click the three-dot menu, go to Help, select About Google Chrome, wait for Chrome to check for updates, and then click Relaunch if prompted. You can also type chrome://settings/help into the address bar.
IT admins should verify Chrome versions across all managed devices, make sure update policies allow the newest build, force or encourage browser relaunches, and investigate systems that remain below the patched version.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages