Google Issues Chrome 149 Patch for 18 Security Flaws
It protects against critical WebGL use-after-free flaws that can allow a browser sandbox escape.
Overview
- Chrome 149 is rolling out as stable builds 149.0.7827.196/197 for desktop and 149.0.7827.197 for Android and users can update manually via Settings > About Chrome to get the fixes immediately.
- The release fixes 18 vulnerabilities total, with four rated Critical and 14 rated High, and the most severe problems are two WebGL use-after-free bugs (CVE-2026-13028 and CVE-2026-13032) that could let a specially crafted web page break out of Chrome’s sandbox.
- A majority of the patched defects are use-after-free memory-corruption bugs that can let attackers execute or redirect code when combined with other flaws; the update also fixes out-of-bounds reads, uninitialized uses, inappropriate implementations, and validation problems.
- Google says there is no evidence these Chrome 149 fixes are being actively exploited in the wild and the company is withholding detailed technical disclosure while the rollout reaches more users.
- Seventeen of the 18 issues were found by Google engineers and one was reported anonymously, a pattern that follows June’s rapid patching cycle that included an emergency V8 zero-day and a 429-patch batch earlier this month.