GOOGLE has released Chrome version 149.0.7827.196/197, a stable‑channel update that patches eighteen security flaws, four of them rated critical. The update is available now from the official Chrome release blog here. Users and administrators are urged to apply the patch promptly to mitigate the risk of remote code execution.
Among the fixes, CVE-2026-13028 and CVE-2026-13032 carry a CVSS score of 9.6 and are described as use‑after‑free errors in the WebGL subsystem, potentially allowing an attacker to execute arbitrary code when a malicious page is loaded. CVE-2026-13033 scores 8.8 and affects the Blink rendering engine, while CVE-2026-13038, also rated 8.8, resides in the Autofill component.
The remaining high‑severity issues cover out‑of‑bounds reads and insufficient input validation in GPU, Bluetooth, FileSystem and Web Authentication code. Google’s advisory notes that all of these bugs could lead to memory corruption if exploited.
More than half of the patched vulnerabilities belong to the use‑after‑free class, a flaw that can allow remote code execution when a user visits a specially crafted page. Google said the majority of these issues were uncovered through internal fuzzing campaigns and the latest AI‑assisted detection tools that the browser team has deployed. The company also highlighted that the increase in detected issues is partly a result of machine‑learning programmes that flag subtle memory‑safety mistakes during development. This proactive approach aims to catch problems before they reach users.
The company stated that none of the flaws are known to be actively exploited in the wild and no threat‑actor groups have been linked to them. This release follows a period of higher vulnerability counts and shows a downward trend as discovery methods improve. Security researchers note that the decline may reflect better internal hygiene and more effective automated testing.
Google’s blog post emphasises that the update includes fixes for several memory corruption errors that were identified through a combination of manual code review and automated scanning. The advisory does not mention any known exploit kits targeting these specific CVEs at this time. Nevertheless, the presence of multiple critical use‑after‑free bugs warrants urgent attention from defence teams.
Administrators should make sure that Chrome is set to update automatically or push the new version through their existing software distribution pipelines. Users can confirm they are running 149.0.7827.196 or later by opening the Help > About Chrome menu and looking for the version number. For managed environments, updating via Group Policy or Microsoft Endpoint Configuration Manager ensures consistency across the estate.
Security teams are advised to review Chrome enterprise policies, enable site isolation and keep Safe Browsing turned on. Monitoring endpoint logs for unexpected renderer crashes, spikes in memory use or unusual network connections can help spot any attempted exploitation of the patched flaws. Maintaining an inventory of browser versions and validating patch compliance reduces the window of exposure.