Chrome 149 Security Update — Patch for Critical Flaws that Enable Code Execution Attacks
Cybersecurity NewsArchived Jun 25, 2026✓ Full text saved
Google has released a critical security update for its Chrome browser, pushing the Stable channel to version 149.0.7827.196/197 for Windows and Mac, and 149.0.7827.196 for Linux. The update addresses 18 security vulnerabilities, including four rated Critical and fourteen rated High severity, several of which could allow attackers to execute arbitrary code on affected systems. The […] The post Chrome 149 Security Update — Patch for Critical Flaws that Enable Code Execution Attacks appeared first
Full text archived locally
✦ AI Summary· Claude Sonnet
Discover more
Malware removal service
Zero-day vulnerability alerts
Network Security
HomeCyber Security
Chrome 149 Security Update — Patch for Critical Flaws that Enable Code Execution Attacks
By Guru Baran
June 25, 2026
Google has released a critical security update for its Chrome browser, pushing the Stable channel to version 149.0.7827.196/197 for Windows and Mac, and 149.0.7827.196 for Linux.
The update addresses 18 security vulnerabilities, including four rated Critical and fourteen rated High severity, several of which could allow attackers to execute arbitrary code on affected systems.
The most severe fixes target Use-after-Free (UAF) vulnerabilities in Chrome’s WebGL rendering engine. CVE-2026-13028 was reported by an anonymous researcher on June 7, 2026, while CVE-2026-13032 was identified internally by Google on June 13.
UAF flaws occur when a program continues referencing memory after it has been freed, potentially allowing attackers to hijack execution flow and run malicious code.
Also rated Critical, CVE-2026-13033 addresses an Out-of-Bounds Read in Blink’s InterestGroups component, and CVE-2026-13038 patches another Use-after-Free in Chrome’s Autofill subsystem, both discovered internally by Google between June 13–14, 2026.
The update resolves 14 High-severity flaws spanning multiple Chrome components:
CVE ID Severity Vulnerability Type Affected Component
CVE-2026-13021 High Inappropriate Implementation DeviceBoundSessionCredentials
CVE-2026-13022 High Inappropriate Implementation Autofill
CVE-2026-13023 High Uninitialized Use GPU
CVE-2026-13024 High Insufficient Input Validation Navigation
CVE-2026-13025 High Insufficient Input Validation DevTools
CVE-2026-13026 High Use-after-Free Digital Credentials
CVE-2026-13027 High Use-after-Free FileSystem
CVE-2026-13029 High Use-after-Free Web Authentication
CVE-2026-13030 High Uninitialized Use GPU
CVE-2026-13031 High Use-after-Free Blink
CVE-2026-13034 High Inappropriate Implementation Passwords
CVE-2026-13035 High Use-after-Free Bluetooth
CVE-2026-13036 High Use-after-Free Blink
CVE-2026-13037 High Use-after-Free WebView
The concentration of UAF bugs across critical browser components like WebGL, Autofill, Bluetooth, and WebView signals a broad attack surface that threat actors could exploit to achieve privilege escalation or remote code execution.
Google notes that bug details will remain restricted until the majority of users are updated, a standard practice to prevent active exploitation before patches are widely deployed.
Many vulnerabilities were discovered using Google’s internal fuzzing and sanitizer toolchain, including AddressSanitizer, MemorySanitizer, and libFuzzer.
Users and enterprise administrators should prioritize updating Chrome immediately. To manually update, navigate to Settings → Help → About Google Chrome and allow the browser to apply the latest build.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
vulnerability
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
Trending News
Hackers Abuse Compromised M365 Accounts to Scale CodeStorm Phishing Operations
CISA Warns of Splunk Enterprise Critical Function Vulnerability Actively Exploited in Attacks
How Attackers Exploit Privileged Access and How to Lock Them Out
AryStinger Botnet Hijacks 4,300+ Routers to Build Global Attack Proxy Network
Rust Clipboard Hijacker Uses Fake GitHub Stars and VirusTotal Upvotes to Steal Crypto
Latest News
Cyber Security News
Mistic Backdoor Blends With Microsoft Endpoint Security Tooling to Evade Detection
Cyber Security News
Microsoft Teams Impersonation Campaign Enables Unauthorized Access Through RMM Abuse
Cyber Security News
Fake Document Reader in The Google Play Store with 100K Downloads Deliver Android Malware
Cyber Security News
Malicious Edge Extension Uses Chrome Native Messaging to Execute Code on Victim Systems
ANY.RUN
EvilTokens Hides Its Attack Flow in the Browser, Exposing Static Analysis Gaps