Google Chrome 149 Fixes a Record-Breaking 429 Vulnerabilities

Google Chrome 149 Patches Record 429 Vulnerabilities

Security // Browser Watch

Security Update

Google Chrome 149 Fixes a Record-Breaking 429 Vulnerabilities — Update Now

June 5, 2026 · Chrome 149.0.7827.53/54 · Windows · Mac · Linux

Google released Chrome 149 to the stable channel on June 2, 2026, patching 429 security vulnerabilities — the largest number ever addressed in a single Chrome update. Users across all desktop platforms are strongly advised to update immediately.

The sheer scale of this release is unprecedented. Chrome 149 surpasses the total count of all Chrome security fixes released in the entirety of 2025, in a single version bump. Security researchers and analysts attribute this surge partly to the increased use of AI-powered fuzzing tools, which have become significantly more effective at uncovering memory safety issues deep within the browser’s graphics, JavaScript, and networking subsystems.

No active exploitation of any of these vulnerabilities has been reported at the time of publication. However, with 22 Critical-rated flaws among the 429, the risk window between public disclosure and attempted exploitation is narrow — prompt updating is essential.

22 Critical

~90 High

~230 Medium

~87 Low

⚠ Action Required: Although no exploits are known in the wild, the 22 Critical-severity vulnerabilities in this release represent the highest possible risk rating. Google recommends all users update to Chrome 149 as soon as possible.

Critical Vulnerabilities (22 total)

The most severe flaw — CVE-2026-10881, rated CVSS 9.6 — is an out-of-bounds read and write in the ANGLE graphics engine. A remote attacker could exploit it via a crafted HTML page to escape Chrome’s sandbox and potentially execute arbitrary code on the host system. Google awarded the external researcher who reported it a $97,000 bug bounty. All 22 Critical vulnerabilities are listed below.

Critical 22 vulnerabilities

CVE	Description	Component
CVE-2026-10881	Out of bounds read and write	ANGLE
CVE-2026-10882	Use after free	Network
CVE-2026-10883	Out of bounds write	ANGLE
CVE-2026-10884	Use after free	Chromecast
CVE-2026-10885	Use after free	Chrome for iOS
CVE-2026-10886	Use after free	FileSystem
CVE-2026-10887	Use after free	Chromoting
CVE-2026-10888	Use after free	Cast Streaming
CVE-2026-10889	Out of bounds read	ANGLE
CVE-2026-10890	Use after free	Cast
CVE-2026-10891	Use after free	GFX
CVE-2026-10892	Out of bounds write	GPU
CVE-2026-10893	Use after free	Chromoting
CVE-2026-10894	Use after free	Printing
CVE-2026-10895	Use after free	Ozone
CVE-2026-10896	Use after free	Chrome for iOS
CVE-2026-10897	Out of bounds write	GPU
CVE-2026-10898	Stack buffer overflow	GPU
CVE-2026-10899	Use after free	Ozone
CVE-2026-10900	Use after free	Passwords
CVE-2026-10901	Use after free	Passwords
CVE-2026-10902	Use after free	Ozone

High ~90 vulnerabilities (CVE-2026-10903 through CVE-2026-10989, selected)

CVE	Description	Component
CVE-2026-10903	Use after free	WebRTC
CVE-2026-10904	Inappropriate implementation	V8
CVE-2026-10905	Use after free	Network
CVE-2026-10906	Use after free	WebAuthentication
CVE-2026-10907	Out of bounds write	ANGLE
CVE-2026-10910	Type Confusion	V8
CVE-2026-10913	Use after free	ANGLE
CVE-2026-10921	Integer overflow	Dawn
CVE-2026-10925	Out of bounds write	Skia
CVE-2026-10929	Heap buffer overflow	ANGLE
CVE-2026-10936	Type Confusion	V8
CVE-2026-10946	Heap buffer overflow	Media
CVE-2026-10949	Heap buffer overflow	Video
CVE-2026-10955	Type Confusion	ANGLE
CVE-2026-10963	Integer overflow	V8
CVE-2026-10988	Use after free	Views
CVE-2026-10989	Inappropriate implementation	V8

† Full list continues through CVE-2026-10989. Over 70 additional High-severity entries omitted for brevity; see the official Chrome release blog for the complete advisory.

Medium ~230 vulnerabilities (CVE-2026-10990 – CVE-2026-11215)

Medium-severity issues span a wide surface area including Use-after-free in V8, WebRTC, Autofill, Passwords, ANGLE, and Media; integer overflows in ANGLE, GPU, V8, Blink, and Chromoting; heap buffer overflows in Skia, TabStrip, and Extensions; type confusion in GPU, CSS, and Media; uninitialized use in ANGLE, Dawn, Skia, and GPU; and a broad range of insufficient validation and policy enforcement issues across nearly every Chrome subsystem. A full machine-readable list is available in the official Chrome advisory.

Low ~87 vulnerabilities (CVE-2026-11216 – CVE-2026-11309)

Low-severity entries include incorrect security UI issues in File Input, Tab Strip, Tab Hover Cards, WebUI, Passwords, and Downloads; policy bypass flaws in Permissions, SafeBrowsing, CSS, ServiceWorker, Sandbox, Shortcuts, Content Security Policy, and Blink; side-channel information leakage in PerformanceAPIs and Paint; use-after-free bugs in Chromoting, Extensions, Network, PDFium (5 separate entries), and Input; and miscellaneous insufficient validation flaws in Navigation, Extensions, Cast, and Wallet.

What Makes This Release Unusual

The 429-vulnerability count is not the result of a single security incident but rather reflects a sustained acceleration in Chrome’s internal bug discovery program. Google has been applying AI-assisted fuzzing extensively to its codebase, and the results are showing up in release notes at an unprecedented scale. Out of the 22 Critical flaws, only three were reported by external researchers; the remaining 19 were found internally. Among roughly 90 High-severity bugs, only 10 came from outside researchers, with the bulk of medium and low findings also originating from Google’s own tooling.

The top external bounty awarded in this release was $97,000 for CVE-2026-10881, reflecting both the severity of the ANGLE out-of-bounds flaw and Chrome’s continued investment in its bug bounty program.

Affected Versions and Available Updates

Windows

149.0.7827.53 / .54

macOS

149.0.7827.53 / .54

Linux

149.0.7827.53

Chrome is available free of charge from Google’s website for Windows, macOS, and Linux. Any installed version prior to those listed above is potentially vulnerable to all 429 flaws addressed in this release.

How to Update Chrome Now

Manual Update Instructions

Open Chrome and navigate to chrome://settings/help or go to Menu → Help → About Google Chrome.

Chrome will automatically detect and download the available update. Wait for the download to complete.

Click Relaunch to restart the browser and fully apply the update. The update is not active until Chrome is restarted.

Confirm the installed version reads 149.0.7827.53 (Linux / Mac) or 149.0.7827.54 (Windows) on the same About page.

Chrome updates automatically in the background when a new version is available, but the update does not take effect until the browser is restarted. Users who leave Chrome running for extended periods may be on a vulnerable version even after the update has been downloaded. Restarting Chrome ensures the fix is applied.

Bottom line: With 22 Critical-rated flaws — any one of which could allow a remote attacker to escape Chrome’s sandbox via a malicious web page — this is one of the most significant Chrome security releases in the browser’s history. Update as soon as possible and restart Chrome to complete the process.

Google Chrome 149 Fixes a Record-Breaking 429 Vulnerabilities — Update Now. Google released Chrome 149 to the stable channel on June 2, 2026, patching 429 security vulnerabilities — the largest number ever addressed in a single Chrome update. Users across all desktop platforms are strongly advised to update immediately.