Google Chrome 149 Fixes a Record-Breaking 429 Vulnerabilities — Update Now
- 60% of MD5 Password Hashes Can Be Cracked in Under an Hour with a Single GPU
- Dirty Frag: Root Access on Every Major Linux Distribution — No Patch, No Warning
- Ubuntu 26.04 LTS (Resolute Raccoon): The Most Ambitious Ubuntu LTS in a Decade
- Proton Mail: Data Transferred to FBI Again!
- How Close Are Quantum Computers to Breaking RSA-2048?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
Security // Browser Watch
Google Chrome 149 Fixes a Record-Breaking 429 Vulnerabilities — Update Now
Google released Chrome 149 to the stable channel on June 2, 2026, patching 429 security vulnerabilities — the largest number ever addressed in a single Chrome update. Users across all desktop platforms are strongly advised to update immediately.
The sheer scale of this release is unprecedented. Chrome 149 surpasses the total count of all Chrome security fixes released in the entirety of 2025, in a single version bump. Security researchers and analysts attribute this surge partly to the increased use of AI-powered fuzzing tools, which have become significantly more effective at uncovering memory safety issues deep within the browser’s graphics, JavaScript, and networking subsystems.
No active exploitation of any of these vulnerabilities has been reported at the time of publication. However, with 22 Critical-rated flaws among the 429, the risk window between public disclosure and attempted exploitation is narrow — prompt updating is essential.
Critical Vulnerabilities (22 total)
The most severe flaw — CVE-2026-10881, rated CVSS 9.6 — is an out-of-bounds read and write in the ANGLE graphics engine. A remote attacker could exploit it via a crafted HTML page to escape Chrome’s sandbox and potentially execute arbitrary code on the host system. Google awarded the external researcher who reported it a $97,000 bug bounty. All 22 Critical vulnerabilities are listed below.
| CVE | Description | Component |
|---|---|---|
| CVE-2026-10881 | Out of bounds read and write | ANGLE |
| CVE-2026-10882 | Use after free | Network |
| CVE-2026-10883 | Out of bounds write | ANGLE |
| CVE-2026-10884 | Use after free | Chromecast |
| CVE-2026-10885 | Use after free | Chrome for iOS |
| CVE-2026-10886 | Use after free | FileSystem |
| CVE-2026-10887 | Use after free | Chromoting |
| CVE-2026-10888 | Use after free | Cast Streaming |
| CVE-2026-10889 | Out of bounds read | ANGLE |
| CVE-2026-10890 | Use after free | Cast |
| CVE-2026-10891 | Use after free | GFX |
| CVE-2026-10892 | Out of bounds write | GPU |
| CVE-2026-10893 | Use after free | Chromoting |
| CVE-2026-10894 | Use after free | Printing |
| CVE-2026-10895 | Use after free | Ozone |
| CVE-2026-10896 | Use after free | Chrome for iOS |
| CVE-2026-10897 | Out of bounds write | GPU |
| CVE-2026-10898 | Stack buffer overflow | GPU |
| CVE-2026-10899 | Use after free | Ozone |
| CVE-2026-10900 | Use after free | Passwords |
| CVE-2026-10901 | Use after free | Passwords |
| CVE-2026-10902 | Use after free | Ozone |
| CVE | Description | Component |
|---|---|---|
| CVE-2026-10903 | Use after free | WebRTC |
| CVE-2026-10904 | Inappropriate implementation | V8 |
| CVE-2026-10905 | Use after free | Network |
| CVE-2026-10906 | Use after free | WebAuthentication |
| CVE-2026-10907 | Out of bounds write | ANGLE |
| CVE-2026-10910 | Type Confusion | V8 |
| CVE-2026-10913 | Use after free | ANGLE |
| CVE-2026-10921 | Integer overflow | Dawn |
| CVE-2026-10925 | Out of bounds write | Skia |
| CVE-2026-10929 | Heap buffer overflow | ANGLE |
| CVE-2026-10936 | Type Confusion | V8 |
| CVE-2026-10946 | Heap buffer overflow | Media |
| CVE-2026-10949 | Heap buffer overflow | Video |
| CVE-2026-10955 | Type Confusion | ANGLE |
| CVE-2026-10963 | Integer overflow | V8 |
| CVE-2026-10988 | Use after free | Views |
| CVE-2026-10989 | Inappropriate implementation | V8 |
† Full list continues through CVE-2026-10989. Over 70 additional High-severity entries omitted for brevity; see the official Chrome release blog for the complete advisory.
Medium-severity issues span a wide surface area including Use-after-free in V8, WebRTC, Autofill, Passwords, ANGLE, and Media; integer overflows in ANGLE, GPU, V8, Blink, and Chromoting; heap buffer overflows in Skia, TabStrip, and Extensions; type confusion in GPU, CSS, and Media; uninitialized use in ANGLE, Dawn, Skia, and GPU; and a broad range of insufficient validation and policy enforcement issues across nearly every Chrome subsystem. A full machine-readable list is available in the official Chrome advisory.
Low-severity entries include incorrect security UI issues in File Input, Tab Strip, Tab Hover Cards, WebUI, Passwords, and Downloads; policy bypass flaws in Permissions, SafeBrowsing, CSS, ServiceWorker, Sandbox, Shortcuts, Content Security Policy, and Blink; side-channel information leakage in PerformanceAPIs and Paint; use-after-free bugs in Chromoting, Extensions, Network, PDFium (5 separate entries), and Input; and miscellaneous insufficient validation flaws in Navigation, Extensions, Cast, and Wallet.
What Makes This Release Unusual
The 429-vulnerability count is not the result of a single security incident but rather reflects a sustained acceleration in Chrome’s internal bug discovery program. Google has been applying AI-assisted fuzzing extensively to its codebase, and the results are showing up in release notes at an unprecedented scale. Out of the 22 Critical flaws, only three were reported by external researchers; the remaining 19 were found internally. Among roughly 90 High-severity bugs, only 10 came from outside researchers, with the bulk of medium and low findings also originating from Google’s own tooling.
The top external bounty awarded in this release was $97,000 for CVE-2026-10881, reflecting both the severity of the ANGLE out-of-bounds flaw and Chrome’s continued investment in its bug bounty program.
Affected Versions and Available Updates
Chrome is available free of charge from Google’s website for Windows, macOS, and Linux. Any installed version prior to those listed above is potentially vulnerable to all 429 flaws addressed in this release.
How to Update Chrome Now
Manual Update Instructions
chrome://settings/help or go to Menu → Help → About Google Chrome.149.0.7827.53 (Linux / Mac) or 149.0.7827.54 (Windows) on the same About page.Chrome updates automatically in the background when a new version is available, but the update does not take effect until the browser is restarted. Users who leave Chrome running for extended periods may be on a vulnerable version even after the update has been downloaded. Restarting Chrome ensures the fix is applied.
