Chrome 149 Update Patches 28 Vulnerabilities, Including Critical Use-After-Free Flaws
Google released Chrome 149, fixing 28 security vulnerabilities—including five critical bugs—while warning that a dozen use-after-free defects could enable sandbox escape and remote code execution.
Google has rolled out Chrome 149, an update that patches 28 vulnerabilities spanning critical and high severity ratings. The release arrives amid an unprecedented surge in Chrome flaws this year, with the company having already fixed over 700 security issues in 2026—more than five times the total for all of 2025.
The update addresses five critical-severity bugs, including use-after-free issues in Core, DigitalCredentials, and WebMIDI, an insufficient validation of untrusted input flaw in Accessibility, and a heap buffer overflow in the GPU component. The remaining 23 vulnerabilities are rated high severity and include nine additional use-after-free defects, four insufficient validation flaws, three inappropriate implementation bugs, two insufficient policy enforcement issues, two out-of-bounds reads, an out-of-bounds write, a race condition, and another heap buffer overflow.
Notably, a dozen of the patched vulnerabilities—three critical and nine high-severity—are use-after-free memory safety bugs. Such flaws occur when a program continues to use memory after it has been freed, potentially allowing attackers to execute arbitrary code, corrupt data, or trigger denial-of-service. In Chrome's architecture, these bugs can be chained with operating-system or browser-privilege vulnerabilities to achieve sandbox escape, giving attackers broader system access.
Google has been systematically combatting use-after-free issues for years. In 2022 it introduced MiraclePtr, a security mechanism that makes exploitation of these bugs more difficult. The company is also progressively rewriting Chrome's core components in Rust, a memory-safe language that eliminates use-after-free vulnerabilities at compile time. Despite these efforts, the volume of use-after-free flaws surfacing has increased over recent months, which Google attributes partly to the use of AI for vulnerability discovery.
According to the advisory, 27 of the 28 vulnerabilities were reported internally by Google's security teams; only one was credited to an independent researcher. The company stated that none of the flaws are known to have been exploited in the wild as of the release date. The latest update is rolling out as versions 149.0.7827.114/.115 for Windows and macOS, and 149.0.7827.114 for Linux.
The release underscores the growing challenge of securing the world's most popular browser at a time when automated tools are accelerating both the discovery of vulnerabilities and the development of exploits. Since the beginning of 2026, five zero-day vulnerabilities in Chrome have already been exploited before patches were available. Users are urged to apply the latest Chrome 149 update immediately to protect against potential attacks.