Chrome 149 Security Update — Patch for Critical Flaws that Enable Code Execution Attacks

Google has released a critical security update for its Chrome browser, pushing the Stable channel to version 149.0.7827.196/197 for Windows and Mac, and 149.0.7827.196 for Linux.

The update addresses 18 security vulnerabilities, including four rated Critical and fourteen rated High severity, several of which could allow attackers to execute arbitrary code on affected systems.

The most severe fixes target Use-after-Free (UAF) vulnerabilities in Chrome’s WebGL rendering engine. CVE-2026-13028 was reported by an anonymous researcher on June 7, 2026, while CVE-2026-13032 was identified internally by Google on June 13.

UAF flaws occur when a program continues referencing memory after it has been freed, potentially allowing attackers to hijack execution flow and run malicious code.

Also rated Critical, CVE-2026-13033 addresses an Out-of-Bounds Read in Blink’s InterestGroups component, and CVE-2026-13038 patches another Use-after-Free in Chrome’s Autofill subsystem, both discovered internally by Google between June 13–14, 2026.

The update resolves 14 High-severity flaws spanning multiple Chrome components:

CVE ID	Severity	Vulnerability Type	Affected Component
CVE-2026-13021	High	Inappropriate Implementation	DeviceBoundSessionCredentials
CVE-2026-13022	High	Inappropriate Implementation	Autofill
CVE-2026-13023	High	Uninitialized Use	GPU
CVE-2026-13024	High	Insufficient Input Validation	Navigation
CVE-2026-13025	High	Insufficient Input Validation	DevTools
CVE-2026-13026	High	Use-after-Free	Digital Credentials
CVE-2026-13027	High	Use-after-Free	FileSystem
CVE-2026-13029	High	Use-after-Free	Web Authentication
CVE-2026-13030	High	Uninitialized Use	GPU
CVE-2026-13031	High	Use-after-Free	Blink
CVE-2026-13034	High	Inappropriate Implementation	Passwords
CVE-2026-13035	High	Use-after-Free	Bluetooth
CVE-2026-13036	High	Use-after-Free	Blink
CVE-2026-13037	High	Use-after-Free	WebView

The concentration of UAF bugs across critical browser components like WebGL, Autofill, Bluetooth, and WebView signals a broad attack surface that threat actors could exploit to achieve privilege escalation or remote code execution.

Google notes that bug details will remain restricted until the majority of users are updated, a standard practice to prevent active exploitation before patches are widely deployed.

Many vulnerabilities were discovered using Google’s internal fuzzing and sanitizer toolchain, including AddressSanitizer, MemorySanitizer, and libFuzzer.

Users and enterprise administrators should prioritize updating Chrome immediately. To manually update, navigate to Settings → Help → About Google Chrome and allow the browser to apply the latest build.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates.