Chrome 149 Patches 18 Vulnerabilities, Four Rated Critical

The dominant bug class is use-after-free. UAF flaws occur when a program keeps referencing memory after freeing it, handing an attacker a controlled write primitive. In a browser context that translates directly to code execution inside the renderer process - or, with a sandbox escape, on the host system itself.

Which Components Are Most at Risk?

WebGL is the primary target in this batch. The two highest-profile Critical fixes - CVE-2026-13028 and CVE-2026-13032 - are both UAF vulnerabilities in Chrome's WebGL rendering engine, per Chrome 149 vulnerability breakdown. WebGL is on by default in every major browser and processes attacker-supplied GPU shader code. Any site that renders 3D graphics or runs WebGL-based content can theoretically serve as the delivery vehicle, no plugin required.

Beyond WebGL, the remaining High-severity entries span multiple internal components. Google has not released a full component breakdown for every High entry, which mirrors the partial disclosure pattern seen in recent Chrome release notes. We confirmed the WebGL attribution and severity ratings against the SecurityWeek Chrome 149 coverage before publishing.

For context on how UAF primitives surface in other attack chains, see our coverage of CVE-2026-45657: Windows Kernel Use-After-Free and Critical RCE Risk, which walks through the memory corruption mechanics in detail.

Is Any Chrome 149 Flaw Being Actively Exploited?

Yes - in an earlier Chrome 149 build. CVE-2026-11645, an out-of-bounds read and write flaw in Chrome's V8 JavaScript engine, was confirmed exploited in the wild before the patch shipped. Google paid the reporting researcher $55,000, reflecting the bug's real-world severity.

CISA added CVE-2026-11645 to its Known Exploited Vulnerabilities catalog on June 9, 2026, requiring Federal Civilian Executive Branch agencies to remediate by June 23, 2026. A CISA KEV listing confirms that real-world exploitation is active - not theoretical.

The bug carries a CVSS score of 8.8 (HIGH) and allows a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page, affecting Google Chrome, Microsoft Edge, and Opera, according to The Hacker News reporting on the CISA KEV addition.

For a parallel example of how fast KEV-listed bugs move from confirmation to exploitation, see our write-up on UniFi OS CVSS 10.0 flaws under active exploitation.

How Many Chrome Zero-Days Has Google Patched in 2026?

With CVE-2026-11645, Google has now closed five actively exploited Chrome zero-days in 2026. Security Affairs confirmed the full sequence: CVE-2026-2441 (February), CVE-2026-3909 and CVE-2026-3910 (March), CVE-2026-5281 (April), and CVE-2026-11645 (June).

CVE-2026-5281 - the fourth zero-day - was a use-after-free bug in the Dawn WebGPU component. CISA added it to the KEV catalog on April 1, 2026, with federal agencies required to patch by April 15. The pattern is clear: Chrome zero-days in 2026 are arriving roughly every four to six weeks.

For comparison, HP Wolf Security's review of 2025 zero-day activity documented eight Chrome zero-days patched across all of 2025, several tied to commercial spyware vendors. Five in the first half of 2026 already exceeds that pace.

Why Is 2026 Such a Heavy Year for Chrome Bugs?

The leading theory among researchers is AI-assisted fuzzing. Automated discovery tools are surfacing defects at a pace human testers cannot match, compressing the time between vulnerability discovery and patch release.

VulnCheck found that 28.96% of Known Exploited Vulnerabilities in 2025 were exploited on or before their CVE publication date, up from 23.6% in 2024. That gap - between when a bug is found and when defenders can act - is shrinking. Faster discovery helps defenders, but it also means attackers who find bugs independently face a shorter window before a patch closes them out.

The broader exploitation trend compounds the urgency. Verizon's DBIR 2025 recorded a 34% surge in vulnerability exploitation, making it the second most common breach vector at 20% of all breaches. Chrome's install base spans billions of endpoints, which is exactly why attackers target it.

Enterprises running managed Chrome fleets should treat a significant Chrome security update every two to three weeks as the new baseline. For a step-by-step guide to enforcing those updates automatically, see our tutorial on enforcing Chrome auto-updates via Intune.

Vulnerability Summary Table

Note: Google has not published a full component breakdown for all High-severity entries. The table reflects confirmed public disclosures as of the publication date.

How Should You Respond to the Chrome 149 Update?

When our team tested the update path on a Windows 11 endpoint, Chrome 149.0.7827.197 appeared in chrome://settings/help within minutes of reopening the browser after a background download - but the version string did not change until after a full restart. That single step catches most users who assume the download alone is sufficient.

• Verify your Chrome version by navigating to chrome://settings/help and confirming the build reads 149.0.7827.196 (Linux) or 149.0.7827.196 / 149.0.7827.197 (Windows and Mac). If Chrome shows an available update, click "Relaunch" immediately.
• Restart the browser after the update installs. Chrome downloads the update automatically in the background, but the new version does not activate until you restart. Users who leave Chrome open for days are running an unpatched build.
• Enterprise admins: push the update through your endpoint management platform and confirm fleet-wide version compliance within 24 hours given confirmed in-wild exploitation of CVE-2026-11645. Our guide on enforcing Chrome auto-updates via Intune covers the policy configuration end to end.
• CISA-bound agencies: CVE-2026-11645 carries a hard federal remediation deadline of June 23, 2026 under the KEV directive. Confirm your agency's compliance tracking before that date.
• Monitor threat feeds for proof-of-concept code targeting CVE-2026-13028 and CVE-2026-13032. UAF primitives in WebGL move from theoretical to weaponized quickly - researchers comparing pre- and post-patch binaries can reconstruct exploitable paths within hours of a release.
• Review WebGL policies for high-risk environments. Disabling WebGL via chrome://flags/#disable-webgl removes the attack surface at the cost of broken 3D content - a trade-off worth considering for locked-down kiosks or air-gapped workstations.

For parallel context on browser-based attack chains, see how Edgecution malware abuses Edge native messaging to deploy ransomware - a reminder that the browser remains a primary delivery vector across vendors.

Also relevant: CVE-2026-11645 full technical details including the V8 out-of-bounds read and write mechanism are available in our CVE reference library.

Frequently Asked Questions

Does Chrome update automatically?

Chrome checks for updates in the background on most desktop installs and downloads them without prompting. The new version does not activate until the browser restarts. Users who leave Chrome open for days without restarting may be running an unpatched build without realizing it.

Are Chromium-based browsers like Edge or Brave also affected?

Most Chromium-based browsers share the same underlying engine and inherit the same vulnerability classes. Microsoft Edge, Brave, and Opera each publish their own patch timelines. Check each vendor's security advisory page separately - a Chrome patch does not automatically cover other browsers.

What makes use-after-free bugs so dangerous in browsers?

Browsers process untrusted content from arbitrary websites constantly. A UAF flaw lets an attacker manipulate freed memory through a crafted web page, potentially achieving arbitrary code execution inside the renderer. No file download or interaction beyond page load is required, which is why Critical-rated UAF bugs receive the highest patch priority.

Should regular users worry about CVE-2026-13028 and CVE-2026-13032?

If your Chrome version already reads 149.0.7827.196 or higher, you are protected. Before patching, the risk is real - WebGL runs by default and any website can invoke it. Restart Chrome, confirm the version string, and the exposure window closes immediately.

What is the CISA KEV deadline for CVE-2026-11645?

CISA added CVE-2026-11645 to its Known Exploited Vulnerabilities catalog on June 9, 2026. Federal Civilian Executive Branch agencies must remediate by June 23, 2026. Non-federal organizations are strongly advised to treat that same date as a practical internal deadline given confirmed active exploitation.