Google has released Chrome 149, fixing 18 security vulnerabilities, including four critical flaws that could potentially allow attackers to execute malicious code or escape the browser’s built in security protections.
Quick Summary – TLDR:
- Google Chrome 149 fixes 18 security vulnerabilities, including four critical and 14 high severity flaws.
- Several of the most dangerous bugs affect WebGL and Autofill, increasing the risk of remote attacks through malicious websites.
- Google says there is no evidence that any of the newly patched vulnerabilities have been exploited in the wild.
- Users are strongly encouraged to update Chrome as soon as possible to stay protected.
What Happened?
Google has rolled out the latest Chrome 149 update for Windows, macOS, Linux, and Android, delivering fixes for 18 newly discovered security vulnerabilities. The release includes four critical and 14 high severity flaws, many of which involve memory corruption issues that attackers could potentially exploit to compromise browser security.
The update is being released gradually over the coming days. While Google has not reported any active exploitation of these vulnerabilities, the company recommends users install the update immediately to reduce potential security risks.
Chrome 149 Security Update — Patch for Critical Flaws that Enable Code Execution Attacks
— Cyber Security News (@The_Cyber_News) June 25, 2026
Source: https://t.co/qwZfOQgmBj
Google has released a critical security update for its Chrome browser, pushing the Stable channel to version 149.0.7827.196/197 for Windows and Mac, and… pic.twitter.com/0zgsN8rOaC
Critical WebGL Bugs Lead the List
Among the most serious vulnerabilities are CVE-2026-13028 and CVE-2026-13032, both affecting WebGL, the browser technology that enables websites to display interactive 2D and 3D graphics.
Both flaws are classified as use after free vulnerabilities, a type of memory corruption issue that occurs when software continues to access memory after it has already been released. Attackers can abuse this weakness to crash applications or execute unauthorized code.
Security researchers warn that these vulnerabilities could allow attackers to craft malicious HTML pages capable of escaping Chrome’s browser sandbox. The sandbox is designed to isolate browser activity from the rest of the operating system, making sandbox escape vulnerabilities especially dangerous because they can open a path toward broader system compromise.
One of these critical vulnerabilities, CVE-2026-13028, was reported by an anonymous security researcher, while Google internally discovered the remaining critical issues included in this release.
Autofill Vulnerability Raises Additional Concerns
Another critical vulnerability, CVE-2026-13038, affects Chrome’s Autofill feature, which stores sensitive user information such as addresses and payment details.
A successful exploit targeting Autofill could expose valuable personal information or be combined with other vulnerabilities during a more advanced attack. Although Google has not shared technical details about the flaw, restricting this information helps prevent attackers from developing exploits before most users have updated.
Most Patched Bugs Are Memory Safety Issues
More than half of the vulnerabilities fixed in Chrome 149 are use after free bugs. According to Google, the remaining flaws include out of bounds read, uninitialized use, inappropriate implementation, and insufficient validation of untrusted input issues.
These types of vulnerabilities can result in browser crashes, memory leaks, unauthorized data access, or even remote code execution when exploited successfully. Security experts also note that attackers often combine web browser vulnerabilities with flaws in the underlying operating system or privileged browser processes to bypass security protections completely.
Google says several of the newly fixed vulnerabilities were identified using advanced testing technologies such as AddressSanitizer, libFuzzer, and AFL, alongside discoveries made by its internal security teams.
No Active Exploitation Reported
Unlike previous Chrome security updates that addressed actively exploited zero day vulnerabilities, Google says there is currently no indication that any of the newly patched flaws have been exploited in real world attacks.
However, the company continues its standard practice of temporarily restricting access to detailed bug reports and proof of concept information until a majority of Chrome users have installed the latest update. This reduces the likelihood of attackers creating working exploits before systems are protected.
Security researchers also point out that Chrome has already faced multiple zero day attacks this year, highlighting why timely browser updates remain an essential layer of defense.
How to Update Chrome?
Google has released Chrome version 149.0.7827.196 and 197 for Windows and macOS, 149.0.7827.196 for Linux, and 149.0.7827.197 for Android.
Users who have not yet received the update automatically can manually check by opening Settings, selecting About Chrome, and allowing the browser to download the latest version. Restarting Chrome completes the installation.
For both individuals and organizations, enabling automatic updates helps ensure critical security fixes are installed as soon as they become available.
SQ Magazine Takeaway
I think this update is another reminder that web browsers have become one of the biggest targets for cybercriminals. Even though Google says these flaws are not being actively exploited, waiting to install security updates is never worth the risk. Chrome is used for everything from online banking to work and shopping, so keeping it updated is one of the easiest and most effective ways to stay protected.
