Google has released a critical security update for its Chrome browser, pushing the Stable channel to version 149.0.7827.196/197 for Windows and Mac, and 149.0.7827.196 for Linux.
The update addresses 18 security vulnerabilities, including four rated Critical and fourteen rated High severity, several of which could allow attackers to execute arbitrary code on affected systems.
The most severe fixes target Use-after-Free (UAF) vulnerabilities in Chrome’s WebGL rendering engine. CVE-2026-13028 was reported by an anonymous researcher on June 7, 2026, while CVE-2026-13032 was identified internally by Google on June 13.
UAF flaws occur when a program continues referencing memory after it has been freed, potentially allowing attackers to hijack execution flow and run malicious code.
Also rated Critical, CVE-2026-13033 addresses an Out-of-Bounds Read in Blink’s InterestGroups component, and CVE-2026-13038 patches another Use-after-Free in Chrome’s Autofill subsystem, both discovered internally by Google between June 13–14, 2026.
The update resolves 14 High-severity flaws spanning multiple Chrome components:
| CVE ID | Severity | Vulnerability Type | Affected Component |
|---|---|---|---|
| CVE-2026-13021 | High | Inappropriate Implementation | DeviceBoundSessionCredentials |
| CVE-2026-13022 | High | Inappropriate Implementation | Autofill |
| CVE-2026-13023 | High | Uninitialized Use | GPU |
| CVE-2026-13024 | High | Insufficient Input Validation | Navigation |
| CVE-2026-13025 | High | Insufficient Input Validation | DevTools |
| CVE-2026-13026 | High | Use-after-Free | Digital Credentials |
| CVE-2026-13027 | High | Use-after-Free | FileSystem |
| CVE-2026-13029 | High | Use-after-Free | Web Authentication |
| CVE-2026-13030 | High | Uninitialized Use | GPU |
| CVE-2026-13031 | High | Use-after-Free | Blink |
| CVE-2026-13034 | High | Inappropriate Implementation | Passwords |
| CVE-2026-13035 | High | Use-after-Free | Bluetooth |
| CVE-2026-13036 | High | Use-after-Free | Blink |
| CVE-2026-13037 | High | Use-after-Free | WebView |
The concentration of UAF bugs across critical browser components like WebGL, Autofill, Bluetooth, and WebView signals a broad attack surface that threat actors could exploit to achieve privilege escalation or remote code execution.
Google notes that bug details will remain restricted until the majority of users are updated, a standard practice to prevent active exploitation before patches are widely deployed.
Many vulnerabilities were discovered using Google’s internal fuzzing and sanitizer toolchain, including AddressSanitizer, MemorySanitizer, and libFuzzer.
Users and enterprise administrators should prioritize updating Chrome immediately. To manually update, navigate to Settings → Help → About Google Chrome and allow the browser to apply the latest build.
