Google Fixes 33 Chrome Security Flaws, Including Seven Critical Vulnerabilities
6 min. read 
Published on
Google has released a new Chrome security update that fixes 33 vulnerabilities, including seven critical flaws in browser components such as WebShare, WebView, Digital Credentials, File Input, Passwords, and Web Authentication.
The update moves the Chrome Stable channel to version 149.0.7827.155/.156 for Windows and macOS, and 149.0.7827.155 for Linux. Google says the rollout will continue over the coming days and weeks.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Users and IT admins should update Chrome as soon as the patch becomes available. While Google has not said that these specific vulnerabilities are being actively exploited, several of the bugs affect memory safety and could become useful in attack chains if users delay the update.
Chrome update patches critical memory safety bugs
The most serious issues in this release include multiple use-after-free vulnerabilities. These flaws occur when software continues to use memory after it has been released, which can lead to crashes, memory corruption, or more serious exploitation paths.
Google listed CVE-2026-12437 as a critical use-after-free flaw in WebShare. Other critical flaws affect WebView, Digital Credentials, File Input, Passwords, and Web Authentication, according to the Chrome Releases post.
The company has restricted access to some bug details until most users receive the fix. This is standard practice for Chrome security updates because public technical details can help attackers reverse-engineer a patch before users update.
| CVE | Severity | Component | Issue type |
|---|---|---|---|
| CVE-2026-12437 | Critical | WebShare | Use after free |
| CVE-2026-12438 | Critical | WebView | Inappropriate implementation |
| CVE-2026-12439 | Critical | Digital Credentials | Use after free |
| CVE-2026-12440 | Critical | Digital Credentials | Use after free |
| CVE-2026-12441 | Critical | File Input | Use after free |
| CVE-2026-12442 | Critical | Passwords | Use after free |
| CVE-2026-12443 | Critical | Web Authentication | Use after free |
High-severity flaws affect WebRTC, Extensions, GPU, and more
The same Chrome update also fixes 26 high-severity vulnerabilities. These include heap buffer overflows in WebRTC, out-of-bounds reads in Chromoting and WebRTC, use-after-free bugs in Extensions, Downloads, Media, and Browser, and an uninitialized use issue in GPU.
Several of these bugs affect components that process complex web content or browser features exposed to websites. That increases the importance of keeping Chrome updated, especially on systems used to access email, cloud dashboards, admin portals, developer tools, and internal web apps.
The Chromium Security page explains that Chrome uses a multi-process sandbox architecture and other defenses to reduce the impact of browser bugs. Security updates still matter because attackers often chain browser vulnerabilities with sandbox escapes or other weaknesses.
| Area | Examples from this update | Potential risk |
|---|---|---|
| WebRTC | CVE-2026-12447, CVE-2026-12461, CVE-2026-12466 | Memory corruption or information exposure through crafted web content |
| Extensions | CVE-2026-12445, CVE-2026-12456, CVE-2026-12457, CVE-2026-12467 | Abuse of extension behavior or insufficient validation |
| Passwords | CVE-2026-12446, CVE-2026-12458 | Data validation and security UI problems |
| GPU | CVE-2026-12469 | Potential data exposure from uninitialized memory |
| File System Access | CVE-2026-12460 | Insufficient policy enforcement |
Why browser security updates should be treated as urgent
Browsers are frequent targets because they process untrusted content from the web every day. A user may not need to download a file for a browser exploit to matter. In many cases, visiting a malicious or compromised page can be enough to trigger a vulnerable code path.
The risk is higher in enterprise environments where outdated browsers remain installed on unmanaged endpoints, shared workstations, virtual desktops, or developer machines. A delayed browser patch can leave users exposed even when the operating system itself is fully updated.
The CVE Program helps vendors, security teams, and vulnerability scanners refer to the same flaws using unique identifiers. That makes it easier for admins to track whether endpoint management tools have detected and remediated Chrome vulnerabilities across a fleet.
- Chrome users should open Settings, choose About Chrome, and restart the browser after the update installs.
- Enterprise admins should confirm that managed devices have moved to Chrome 149.0.7827.155 or later.
- Security teams should check browser versions on remote, shared, and kiosk-style systems.
- Organizations should review extension policies and reduce unnecessary browser attack surface.
Google says bug details remain restricted for now
Google says access to bug details and links may stay restricted until most users update. It can also keep restrictions in place when a bug affects a third-party library that other projects still need to patch.
This means public technical information for some of the 33 fixed flaws may remain limited for now. Users do not need to wait for technical details to act. Updating Chrome applies the available protections immediately.
The Chrome update help page explains that Chrome can normally update automatically, but users may need to relaunch the browser to complete installation. On managed devices, admins may control the timing through enterprise policies.
What users should do now
For home users, the fastest step is to open Chrome, go to Settings, select About Chrome, let the browser check for updates, and restart it. The update only takes effect after Chrome relaunches.
For businesses, browser patching should be handled like any other high-priority security update. Admins should check reporting in endpoint management tools, confirm the installed version, and follow up on devices that have not restarted.
The Google Chrome help page also notes that update indicators can appear in the browser when a new version is ready. Users should not ignore those prompts, especially after a security release.
| User type | Recommended action |
|---|---|
| Home users | Open About Chrome, install the update, and restart the browser |
| IT admins | Confirm Chrome 149.0.7827.155 or later across Windows, macOS, and Linux devices |
| Security teams | Watch for outdated browser versions in vulnerability management dashboards |
| Developers | Restart Chrome instances used for testing, debugging, and local admin work |
Chrome’s built-in defenses do not remove the need to patch
Chrome includes sandboxing, site isolation, memory-safety tooling, fuzzing, and other security defenses. Google also credits tools such as AddressSanitizer, MemorySanitizer, Control Flow Integrity, libFuzzer, and AFL for helping catch bugs before they reach attackers.
Those protections reduce risk, but they cannot replace patching. A critical browser vulnerability can still become dangerous when attackers combine it with another flaw or target users who have not restarted after an update.
The Chromium security documentation makes clear that Chrome’s security model uses layers. The June update is one of those layers, and users should apply it as soon as possible.
The practical takeaway is simple: update Chrome now, restart it, and make sure managed systems do the same. The vulnerabilities are fixed in the new Stable channel release, but unpatched browsers remain exposed until the update actually installs and the browser restarts.
FAQ
Google says the Stable channel was updated to 149.0.7827.155/.156 for Windows and macOS, and 149.0.7827.155 for Linux. Users should install the newest available Chrome version and restart the browser.
Google fixed 33 security issues in this Chrome Stable channel update. Seven of the listed vulnerabilities carry a critical severity rating.
Google’s June 16, 2026 Chrome release post does not say that these specific vulnerabilities were exploited in the wild. Google did restrict some technical details until most users receive the update.
Open Chrome, go to Settings, select About Chrome, and let the browser check for updates. Restart Chrome after the update installs so the fixes can take effect.
Use-after-free bugs happen when software uses memory after it has been released. In browsers, these flaws can lead to crashes, memory corruption, or exploitation paths when combined with other weaknesses.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages