“`html
Google has issued a significant security patch for its Chrome browser, advancing the Stable channel to version 149.0.7827.196/197 for Windows and Mac, and 149.0.7827.196 for Linux.
This update tackles 18 security weaknesses, comprising four classified as Critical and fourteen designated as High severity, several of which might enable attackers to execute arbitrary code on compromised systems.
The most critical corrections focus on Use-after-Free (UAF) vulnerabilities within Chrome’s WebGL rendering engine. CVE-2026-13028 was disclosed by an unidentified researcher on June 7, 2026, while CVE-2026-13032 was identified internally by Google on June 13.
UAF vulnerabilities manifest when a program continues to reference memory after it has been released, which may permit attackers to commandeer execution flow and deploy harmful code.
Also marked as Critical, CVE-2026-13033 addresses an Out-of-Bounds Read in Blink’s InterestGroups feature, and CVE-2026-13038 fixes another Use-after-Free within Chrome’s Autofill subsystem, both found internally by Google between June 13–14, 2026.
The update resolves 14 High-severity vulnerabilities spanning various Chrome components:
| CVE ID | Severity | Vulnerability Type | Impacted Component |
|---|---|---|---|
| CVE-2026-13021 | High | Inadequate Implementation | DeviceBoundSessionCredentials |
| CVE-2026-13022 | High | Inadequate Implementation | Autofill |
| CVE-2026-13023 | High | Uninitialized Use | GPU |
| CVE-2026-13024 | High | Insufficient Input Validation | Navigation |
| CVE-2026-13025 | High | Insufficient Input Validation | DevTools |
| CVE-2026-13026 | High | Use-after-Free | Digital Credentials |
| CVE-2026-13027 | High | Use-after-Free | FileSystem |
| CVE-2026-13029 | High | Use-after-Free | Web Authentication |
| CVE-2026-13030 | High | Uninitialized Use | GPU |
| CVE-2026-13031 | High | Use-after-Free | Blink |
| CVE-2026-13034 | High | Inadequate Implementation | Passwords |
| CVE-2026-13035 | High | Use-after-Free | Bluetooth |
| CVE-2026-13036 | High | Use-after-Free | Blink |
| CVE-2026-13037 | High | Use-after-Free | WebView |
The prevalence of UAF issues throughout crucial browser components such as WebGL, Autofill, Bluetooth, and WebView indicates a wide attack surface that malicious actors might exploit to achieve privilege elevation or remote code execution.
Google emphasizes that vulnerability details will remain concealed until most users have been updated, a common practice to avert active exploitation prior to the widespread distribution of patches.
Numerous vulnerabilities were uncovered utilizing Google’s internal fuzzing and sanitizer toolkit, including AddressSanitizer, MemorySanitizer, and libFuzzer.
Users and corporate administrators are urged to prioritize updating Chrome without delay. To manually refresh, go to Settings → Help → About Google Chrome and allow the browser to install the latest version.
“`