Google Chrome Patches 34 Flaws Including Multiple RCE Bugs
Google has released two Chrome Stable channel security updates that together patch 34 vulnerabilities, including multiple flaws that could allow remote code execution if users are lured to malicious webpages. The first update fixed 26 issues—including three critical, 22 high-severity, and one medium-severity bugs—in components such as WebGL, WebRTC, V8, Blink, Network, WebAudio, Dawn, PDFium, ANGLE, and Extensions. Google said the most serious weaknesses involved memory corruption, including use-after-free, heap and stack buffer overflows, out-of-bounds access, integer overflows, type confusion, and insufficient validation of untrusted input.
A follow-up update addressed eight additional high-severity vulnerabilities affecting WebAudio, CSS, WebGL, Dawn, WebGPU, Fonts, and FedCM, again dominated by memory-safety bugs that could lead to browser compromise. Google shipped versions 146.0.7680.153 and 146.0.7680.154 for Windows and macOS and 146.0.7680.153 for Linux in the first release, followed by 146.0.7680.164 and 146.0.7680.165 for Windows and macOS and 146.0.7680.164 for Linux in the second. The company said many flaws were found through AddressSanitizer, MemorySanitizer, and libFuzzer, paid a $7,000 bounty for one WebAudio bug, and is withholding technical details until more users have updated to reduce the risk of exploit development.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Google issues follow-up Chrome update for 8 high-severity flaws
Google released another Chrome security update, rolling out versions 146.0.7680.164/.165 for Windows and macOS and 146.0.7680.164 for Linux, to fix eight high-severity vulnerabilities. The flaws impacted components including WebAudio, CSS, WebGL, Dawn, WebGPU, Fonts, and FedCM, and included memory corruption issues that could allow remote code execution or system compromise.
Google releases Chrome update fixing 26 vulnerabilities
Google shipped Chrome Stable channel versions 146.0.7680.153/.154 for Windows and macOS and 146.0.7680.153 for Linux to address 26 flaws, including three critical issues. The bugs affected components such as WebGL, WebRTC, V8, Blink, Network, WebAudio, Dawn, PDFium, ANGLE, and Extensions, with several memory corruption flaws that could enable remote code execution via malicious webpages.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Chrome Security Update Fixes 8 Vulnerabilities Allowing Remote Code Execution
cybersecuritynews.com
Open sourceChrome Security Update Patches 26 Vulnerabilities that Enable Attackers to Execute Malicious Code Remotely
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Google Patches Seven Critical Chrome RCE Flaws in Stable Update
Google released a Chrome Stable channel update to fix **33 vulnerabilities**, including **seven Critical flaws** that could allow **remote code execution** if a user visits a malicious webpage. The update moves Chrome to **`149.0.7827.155/.156`** on Windows and macOS and **`149.0.7827.155`** on Linux, with Google rolling it out gradually. The most serious issues are largely **use-after-free** memory corruption bugs affecting components including **WebShare**, **Digital Credentials**, **File Input**, **Passwords**, and **Web Authentication**. Named issues include **`CVE-2026-12437`** in WebShare, **`CVE-2026-12439`** and **`CVE-2026-12440`** in Digital Credentials, **`CVE-2026-12442`** in Passwords, and **`CVE-2026-12443`** in Web Authentication. Google also patched High-severity flaws in **WebRTC, Extensions, Safe Browsing, GPU, File System Access, Media, Downloads,** and the **Tab Strip**, with risks ranging from data leakage and heap corruption to sandbox escape and exploit chaining. The company said technical details will remain limited until more users update and urged users and enterprises to install the patch and relaunch Chrome promptly.
Jun 22, 2026
Google Chrome fixes 151 flaws, including 22 critical remote code execution bugs
Google has released a major Chrome Stable update that patches **151 security vulnerabilities**, including **22 critical flaws** affecting desktop builds on Windows, macOS, and Linux, with related fixes also noted for Android and iOS. The patched desktop versions are `148.0.7778.216/217` for Windows, `148.0.7778.215/216` for macOS, and `148.0.7778.215` for Linux. Google and national cyber authorities urged users and administrators to update immediately, while the company temporarily withheld detailed technical information until most users receive the fixes. Google said none of the newly disclosed critical issues were known to be exploited in the wild at disclosure time. The most serious bugs include **CVE-2026-9872** in the GPU process, **CVE-2026-9873** in Network, **CVE-2026-9874** in Dawn, and **CVE-2026-9875** in WebGL, alongside numerous flaws in **ANGLE**, Bluetooth, Base, Proxy, media, and other browser components. The vulnerabilities span use-after-free, out-of-bounds read and write, integer overflow, race condition, and insufficient validation weaknesses that could enable **remote code execution**, sandbox escape, data corruption, or broader system compromise through malicious web content. Google said many issues were found internally through fuzzing, sanitizers, and control-flow integrity tooling, while external researchers also reported multiple bugs through the bounty program, with rewards reaching **$43,000**.
May 29, 2026
Chrome Desktop Update Fixes 28 Flaws Including Critical Memory Corruption Bugs
Google released a Stable Channel update for Chrome Desktop, upgrading Windows and Mac to **149.0.7827.114/.115** and Linux to **149.0.7827.114**, to address **28 security vulnerabilities** across components including Core, DigitalCredentials, Accessibility, GPU, WebMIDI, Network, DevTools, Extensions, Video, and Views. The release includes **five critical flaws**, notably multiple use-after-free bugs, a heap buffer overflow in GPU, and insufficient validation of untrusted input in Accessibility; Google said technical details will remain restricted until most users are patched or dependent third-party fixes are available. Published CVE records tied to the release highlight several high-severity issues: **`CVE-2026-12013`**, a Chrome Media use-after-free on Windows that could be triggered through a crafted HTML page; **`CVE-2026-12014`**, a Cast use-after-free that could enable a sandbox escape from the local network segment via malicious network traffic; **`CVE-2026-12016`**, a DevTools flaw that could allow sandbox escape after renderer compromise; and **`CVE-2026-12018`**, a Mojo issue that could lead to OS-level privilege escalation on Windows through a malicious file. The Canadian Centre for Cyber Security urged users and administrators running versions prior to the patched builds to review Google’s advisory and apply updates as they become available.
Jun 12, 2026