Chrome 149 Patches 28 Flaws, Several Critical UAF Bugs

Chrome 149 Arrives With a Major Security Overhaul

Google has rolled out a significant Chrome security update for desktop users. Version 149.0.7827.114/.115 is now available for Windows and Mac, while Linux receives 149.0.7827.114. The rollout will continue over the coming days and weeks.

This release addresses 28 separate security issues. Several of these carry a critical severity rating, meaning they could allow attackers to execute arbitrary code or crash the browser entirely.

Critical Use-After-Free Flaws Lead the Pack

Five vulnerabilities received a critical rating. CVE-2026-12007 affects the Core component through a use-after-free condition. Similarly, CVE-2026-12008 impacts DigitalCredentials, while CVE-2026-12011 affects WebMIDI through the same flaw type.

Meanwhile, CVE-2026-12009 involves insufficient input validation in Accessibility features. Additionally, CVE-2026-12010 is a heap buffer overflow in the GPU component. Attackers exploiting these flaws could potentially gain control over affected systems.

High-Severity Issues Span Many Components

Beyond the critical fixes, this Chrome security update resolves 23 high-severity bugs. These touch a wide range of components, including Network, Media, Cast, Autofill, DevTools, and Extensions.

Several use-after-free issues recur throughout the list, affecting Autofill, GPU, Video, and Views components. Furthermore, race conditions in Safe Browsing and policy enforcement gaps in DevTools and Headless mode round out the fixes.

Independent researcher Henock Habte reported CVE-2026-12013, a use-after-free bug in the Media component. Google’s own security team identified the remaining issues internally.

Why This Matters for Users

Use-after-free vulnerabilities remain a favorite target for exploit developers. Therefore, prompt patching is essential. Chrome typically updates automatically, though users can manually trigger the process through the browser’s settings menu.

For full technical details on each fix, readers can consult the official Chrome stable channel release notes. Google often restricts bug details until most users have updated.

Recommended Action

Users should verify their Chrome version reads 149.0.7827.114 or later. Restarting the browser completes the update process. Given the volume of critical and high-severity fixes, delaying this update increases exposure to potential exploitation significantly.