Google Patches 18 Chrome Vulnerabilities, Including Two Critical WebGL Use-After-Free Flaws
Google released Chrome 149.0.7827.196/197 for Windows and Mac, fixing 18 vulnerabilities including four critical bugs, with two WebGL use-after-free flaws that could enable sandbox escape.
Google has released a security update for Chrome that patches 18 vulnerabilities, four of which are rated Critical. The stable channel has been updated to version 149.0.7827.196/197 for Windows and Mac, and 149.0.7827.196 for Linux. Chrome for Android was also updated to 149.0.7827.197. While no active exploitation has been reported for these specific bugs, the update comes amid a year that has already seen multiple Chrome zero-days exploited in the wild.
Among the most serious flaws are two Critical-rated use-after-free vulnerabilities in WebGL, the browser technology that enables interactive 2D and 3D graphics on web pages. Tracked as CVE-2026-13028 and CVE-2026-13032, both bugs could allow an attacker to escape Chrome's sandbox by tricking a user into visiting a specially crafted HTML page. Use-after-free vulnerabilities occur when a program fails to clear a pointer to memory after freeing it, allowing an attacker to crash the program or execute arbitrary code.
Sandbox escape is particularly dangerous because it allows an attacker to break out of the restricted environment that is supposed to contain malicious activity within the browser. Once outside the sandbox, an attacker can potentially compromise the entire operating system. The two WebGL flaws are especially concerning when paired with other vulnerabilities, such as CVE-2026-2441, which was patched in a separate update and allowed code execution inside the sandbox. Combined, these bugs could give attackers full control of a victim's system.
Google's internal security teams discovered most of the vulnerabilities fixed in this update. The only exception among the Critical bugs is CVE-2026-13028, which was reported by an external researcher. As is standard practice, Google has not released full technical details for the flaws to give users time to update before attackers can reverse-engineer the patches.
Users are strongly advised to update Chrome immediately. The update can be applied manually by navigating to Settings > About Chrome, where the browser will automatically download and install the latest version. Restarting the browser completes the update. Users who rarely close their browser or have extensions that block updates may be particularly vulnerable and should verify their version.
This update follows a pattern of frequent Chrome security patches in 2026. Earlier this year, Google released Chrome 149.0.7827.155 fixing 25 high-severity CVEs, and the company has issued multiple out-of-band updates for zero-day vulnerabilities. The continued investment in web-based attacks by threat actors underscores the importance of keeping browsers up to date.
For additional protection, users can deploy browser security extensions such as Malwarebytes Browser Guard, which blocks phishing pages and malicious sites automatically. However, the most critical step remains applying the latest Chrome update to close the vulnerabilities at the source.