{"id":13858,"date":"2026-06-25T10:03:38","date_gmt":"2026-06-25T10:03:38","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/06\/25\/chrome-149-security-update-patch-for-critical-flaws-that-enable-code-execution-attacks\/"},"modified":"2026-06-25T10:03:38","modified_gmt":"2026-06-25T10:03:38","slug":"chrome-149-security-update-patch-for-critical-flaws-that-enable-code-execution-attacks","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/06\/25\/chrome-149-security-update-patch-for-critical-flaws-that-enable-code-execution-attacks\/","title":{"rendered":"Chrome 149 Security Update \u2014 Patch for Critical Flaws that Enable Code Execution Attacks"},"content":{"rendered":"

Chrome 149 Security Update \u2014 Patch for Critical Flaws that Enable Code Execution Attacks
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

Google has released a critical security update for its Chrome browser, pushing the Stable channel to version 149.0.7827.196\/197 for Windows and Mac, and 149.0.7827.196 for Linux.<\/p>\n

The update addresses 18 security vulnerabilities, including four rated Critical and fourteen rated High severity, several of which could allow attackers to execute arbitrary code on affected systems.<\/p>\n

The most severe fixes target Use-after-Free (UAF) vulnerabilities<\/a> in Chrome\u2019s WebGL rendering engine. CVE-2026-13028 was reported by an anonymous researcher on June 7, 2026, while CVE-2026-13032 was identified internally by Google on June 13.<\/p>\n

UAF flaws occur when a program continues referencing memory after it has been freed, potentially allowing attackers to hijack execution flow and run malicious code.<\/p>\n

Also rated Critical, CVE-2026-13033 addresses an Out-of-Bounds Read in Blink\u2019s InterestGroups component, and CVE-2026-13038 patches another Use-after-Free in Chrome\u2019s Autofill subsystem, both discovered internally by Google between June 13\u201314, 2026.<\/p>\n

The update resolves 14 High-severity flaws spanning multiple Chrome components:<\/p>\n

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
CVE ID<\/th>\nSeverity<\/th>\nVulnerability Type<\/th>\nAffected Component<\/th>\n<\/tr>\n<\/thead>\n
CVE-2026-13021<\/td>\nHigh<\/td>\nInappropriate Implementation<\/td>\nDeviceBoundSessionCredentials<\/td>\n<\/tr>\n
CVE-2026-13022<\/td>\nHigh<\/td>\nInappropriate Implementation<\/td>\nAutofill<\/td>\n<\/tr>\n
CVE-2026-13023<\/td>\nHigh<\/td>\nUninitialized Use<\/td>\nGPU<\/td>\n<\/tr>\n
CVE-2026-13024<\/td>\nHigh<\/td>\nInsufficient Input Validation<\/td>\nNavigation<\/td>\n<\/tr>\n
CVE-2026-13025<\/td>\nHigh<\/td>\nInsufficient Input Validation<\/td>\nDevTools<\/td>\n<\/tr>\n
CVE-2026-13026<\/td>\nHigh<\/td>\nUse-after-Free<\/td>\nDigital Credentials<\/td>\n<\/tr>\n
CVE-2026-13027<\/td>\nHigh<\/td>\nUse-after-Free<\/td>\nFileSystem<\/td>\n<\/tr>\n
CVE-2026-13029<\/td>\nHigh<\/td>\nUse-after-Free<\/td>\nWeb Authentication<\/td>\n<\/tr>\n
CVE-2026-13030<\/td>\nHigh<\/td>\nUninitialized Use<\/td>\nGPU<\/td>\n<\/tr>\n
CVE-2026-13031<\/td>\nHigh<\/td>\nUse-after-Free<\/td>\nBlink<\/td>\n<\/tr>\n
CVE-2026-13034<\/td>\nHigh<\/td>\nInappropriate Implementation<\/td>\nPasswords<\/td>\n<\/tr>\n
CVE-2026-13035<\/td>\nHigh<\/td>\nUse-after-Free<\/td>\nBluetooth<\/td>\n<\/tr>\n
CVE-2026-13036<\/td>\nHigh<\/td>\nUse-after-Free<\/td>\nBlink<\/td>\n<\/tr>\n
CVE-2026-13037<\/td>\nHigh<\/td>\nUse-after-Free<\/td>\nWebView<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

The concentration of UAF bugs across critical browser components like WebGL, Autofill, Bluetooth, and WebView signals a broad attack surface that threat actors could exploit to achieve privilege escalation or remote code execution.<\/p>\n

Google notes that bug details will remain restricted<\/a> until the majority of users are updated, a standard practice to prevent active exploitation before patches are widely deployed.<\/p>\n

Many vulnerabilities were discovered using Google\u2019s internal fuzzing and sanitizer toolchain, including AddressSanitizer, MemorySanitizer, and libFuzzer.<\/p>\n

Users and enterprise administrators should prioritize updating Chrome immediately. To manually update, navigate to Settings \u2192 Help \u2192 About Google Chrome and allow the browser to apply the latest build.<\/p>\n

Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates.<\/strong><\/p>\n

The post Chrome 149 Security Update \u2014 Patch for Critical Flaws that Enable Code Execution Attacks<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Guru Baran
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

Chrome 149 Security Update \u2014 Patch for Critical Flaws that Enable Code Execution Attacks Google has released a critical security update for its Chrome browser, pushing the Stable channel to version 149.0.7827.196\/197 for Windows and Mac, and 149.0.7827.196 for Linux. The update addresses 18 security vulnerabilities, including four rated Critical and fourteen rated High severity, […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131,648],"tags":[130],"class_list":["post-13858","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13858"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=13858"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13858\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=13858"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=13858"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=13858"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}