Eighteen bugs, four of them critical, and one browser update stand between your computer and a bad time.
Google pushed out Chrome 149 last week, rolling the Stable channel to version 149.0.7827.196/197 on Windows and Mac, and 149.0.7827.196 on Linux. The update fixes 18 security issues in total: four critical-severity flaws and 14 rated high. Chrome for Android also picked up the patch, landing on version 149.0.7827.197.
The critical bugs
The two most attention-grabbing flaws live in WebGL, the technology websites use to render interactive 2D and 3D graphics in your browser. Both CVE-2026-13028 and CVE-2026-13032 are “use after free” bugs, a type of memory error in which a program continues to access memory that has already been freed.
Attackers can exploit that mistake to break out of Chrome’s sandbox, potentially, the protective bubble meant to keep anything malicious confined to the browser, using nothing more than a rigged webpage.
The other two critical issues hit Chrome’s Autofill feature (another use-after-free flaw, CVE-2026-13038) and a component called Blink>InterestGroups, where an out-of-bounds read bug, CVE-2026-13033, was found.
Beyond the critical four, the 14 high-severity fixes touch a wide swath of Chrome’s plumbing, including GPU handling, Bluetooth, DevTools, passwords, web authentication, and Chrome’s WebView component, among others. Altogether, roughly 10 of the 18 patched bugs across both severity tiers are use-after-free issues.
Who found the bugs
Only one of the 18 bugs came from outside Google: an anonymous researcher reported the first WebGL flaw back on June 7. The remaining 17 were caught internally, largely through Google’s own fuzzing and sanitization tools, such as AddressSanitizer and libFuzzer.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” said Google. “We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.”
Must-read security coverage
- UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case
- Blackpoint Cyber vs. Arctic Wolf: Which MDR Solution is Right for You?
- How GitHub Is Securing the Software Supply Chain
- 8 Best Enterprise Password Managers
Why this matters
There’s no evidence any of these 18 bugs have been exploited in the wild yet, but that’s cold comfort given Chrome’s track record this year. The browser has already seen multiple zero-days actively exploited in 2026, including one, CVE-2026-2441, that let attackers run code inside Chrome’s sandbox via a malicious site.
Pair a bug like that with one of this week’s WebGL sandbox-escape flaws, and you’ve got a credible path from annoying pop-up to full system compromise. Use-after-free bugs are exactly the kind of building blocks attackers chain together for that purpose.
A quieter month, relatively speaking
This batch is small by recent standards. April and May saw a surge in newly discovered Chrome vulnerabilities, peaking with a massive 429 fixes bundled into an early-June release.
Eighteen bugs look almost tame by comparison, though security watchers note the heavy reliance on Google’s own researchers, rather than outside bounty hunters, may reflect AI-assisted bug hunting becoming more central to Chrome’s security pipeline.
What you should do
The update rolls out automatically over the coming days and weeks, but there’s no reason to wait. Click the three-dot menu in Chrome, go to Settings, then “About Chrome” — if an update’s ready, it’ll download immediately. Restart the browser, and you’re covered.
Also read: Europol and Microsoft helped disrupt malware infrastructure tied to 27 million stolen logins and 140,000 infected computers.