Chrome Desktop Update Fixes 28 Flaws Including Critical Memory Corruption Bugs
Google released a Stable Channel update for Chrome Desktop, upgrading Windows and Mac to 149.0.7827.114/.115 and Linux to 149.0.7827.114, to address 28 security vulnerabilities across components including Core, DigitalCredentials, Accessibility, GPU, WebMIDI, Network, DevTools, Extensions, Video, and Views. The release includes five critical flaws, notably multiple use-after-free bugs, a heap buffer overflow in GPU, and insufficient validation of untrusted input in Accessibility; Google said technical details will remain restricted until most users are patched or dependent third-party fixes are available.
Published CVE records tied to the release highlight several high-severity issues: CVE-2026-12013, a Chrome Media use-after-free on Windows that could be triggered through a crafted HTML page; CVE-2026-12014, a Cast use-after-free that could enable a sandbox escape from the local network segment via malicious network traffic; CVE-2026-12016, a DevTools flaw that could allow sandbox escape after renderer compromise; and CVE-2026-12018, a Mojo issue that could lead to OS-level privilege escalation on Windows through a malicious file. The Canadian Centre for Cyber Security urged users and administrators running versions prior to the patched builds to review Google’s advisory and apply updates as they become available.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Canadian Centre for Cyber Security issues Chrome advisory
On June 12, 2026, the Canadian Centre for Cyber Security published advisory AV26-593 about Google's June 11 Chrome security update. It advised users and administrators to review Google's advisory and apply the necessary updates for affected desktop Chrome versions.
CVE entries are updated with CVSS details
On June 12, 2026, CVE records for several Chrome vulnerabilities were updated to add CVSS v3.1 vectors and related classification details. The updates affected entries including CVE-2026-12014, CVE-2026-12013, CVE-2026-12016, and CVE-2026-12018.
CVE records for multiple Chrome flaws are received
On June 11, 2026, CVE records were received for several Chrome vulnerabilities including CVE-2026-12013, CVE-2026-12016, and related issues referenced in the Chrome release. These records covered flaws such as a Media use-after-free, a DevTools sandbox escape, and other high-severity bugs affecting versions prior to 149.0.7827.115.
Google releases Chrome 149.0.7827.114/.115 with 28 security fixes
On June 11, 2026, Google announced a Stable Channel update for Chrome Desktop: version 149.0.7827.114/.115 for Windows and Mac and 149.0.7827.114 for Linux. The release addressed 28 security issues, including multiple critical and high-severity vulnerabilities across components such as Core, Accessibility, GPU, DevTools, and Media.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Google Chrome security advisory (AV26-593) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceCVE-2026-12016 - Google Chrome DevTools Sandbox Escape
cvefeed.io
Open sourceChrome Releases: Stable Channel Update for Desktop
chromereleases.googleblog.com
Open sourceCVE-2026-12014 - Chrome Use-after-free Sandbox Escape
cvefeed.io
Open sourceCVE-2026-12013 - Google Chrome Use-After-Free
cvefeed.io
Open sourceCVE-2026-12018 - Google Chrome Mojo Privilege Escalation
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Google Chrome Update Fixes 79 Flaws, Including 14 Critical Bugs
Google released a Stable Channel update for Chrome Desktop that fixes **79 vulnerabilities**, including **14 critical flaws**, in version `148.0.7778.167/168` for Windows and Mac and `148.0.7778.167` for Linux. The most severe issues include heap buffer overflows, integer overflows, use-after-free bugs, a race condition, and insufficient validation of untrusted input in components such as **WebML, Skia, Blink, ANGLE, and Payments**. Google said it is restricting technical details and proof-of-concept information until more users are patched, citing the risk that browser bugs can be weaponized for arbitrary code execution, sandbox escape, data theft, and host compromise. Government and industry advisories urged organizations to update immediately, with the Canadian Centre for Cyber Security issuing notice **AV26-458** for versions prior to `148.0.7778.167/168` on Windows and Mac and prior to `148.0.7778.167` on Linux. The latest release follows an earlier Chrome advisory, **AV26-358**, that covered versions prior to `147.0.7727.101/102`, underscoring a continuing stream of browser security fixes. Google also disclosed bug bounty awards tied to the new patch set, including **$43,000** for `CVE-2026-8509` in WebML and **$25,000** for `CVE-2026-8510` in Skia.
May 21, 2026
Google Chrome 149 fixes multiple high-severity memory corruption flaws
Google released a Stable Channel security update for Chrome Desktop, fixing a broad set of vulnerabilities in versions prior to **`149.0.7827.53/54`** on Windows and Mac and **`149.0.7827.53`** on Linux, while related records also show Chrome on Android was affected before **`149.0.7827.53`**. The Canadian Centre for Cyber Security urged users and administrators to apply the update, and public CVE entries tie the release to numerous flaws across **V8, Blink, WebRTC, Compositing, Dawn, DevTools, GPU, PDFium, Extensions, Media, TabStrip, Cast, LiveCaption, Google Lens, CSS, and USB**. Many of the issues are memory-safety bugs such as **use-after-free**, **out-of-bounds write/read**, **integer overflow**, and **type confusion**, with several carrying CVSS vectors indicating high impact to confidentiality, integrity, and availability. The patched vulnerabilities include remote code execution inside Chrome’s sandbox through crafted HTML pages or malicious PDF files, information disclosure from process memory, UI spoofing, navigation restriction bypass, privilege escalation on adjacent networks, and multiple paths that could aid sandbox escape after renderer compromise. Notable examples include **`CVE-2026-11188`** in Android USB that could potentially enable sandbox escape, **`CVE-2026-11256`** in the GPU component, **`CVE-2026-11173`** in V8, **`CVE-2026-11118`** and **`CVE-2026-11074`** in WebRTC, and several **PDFium** bugs including **`CVE-2026-11303`**, **`CVE-2026-11305`**, and **`CVE-2026-11307`**. Visible metadata from one additional report also points to **`CVE-2026-10881`**, linked to Chrome 149, the ANGLE layer, and memory corruption involving GPU buffer overflow and use-after-free.
Jun 12, 2026
Google Chrome fixes 151 flaws, including 22 critical remote code execution bugs
Google has released a major Chrome Stable update that patches **151 security vulnerabilities**, including **22 critical flaws** affecting desktop builds on Windows, macOS, and Linux, with related fixes also noted for Android and iOS. The patched desktop versions are `148.0.7778.216/217` for Windows, `148.0.7778.215/216` for macOS, and `148.0.7778.215` for Linux. Google and national cyber authorities urged users and administrators to update immediately, while the company temporarily withheld detailed technical information until most users receive the fixes. Google said none of the newly disclosed critical issues were known to be exploited in the wild at disclosure time. The most serious bugs include **CVE-2026-9872** in the GPU process, **CVE-2026-9873** in Network, **CVE-2026-9874** in Dawn, and **CVE-2026-9875** in WebGL, alongside numerous flaws in **ANGLE**, Bluetooth, Base, Proxy, media, and other browser components. The vulnerabilities span use-after-free, out-of-bounds read and write, integer overflow, race condition, and insufficient validation weaknesses that could enable **remote code execution**, sandbox escape, data corruption, or broader system compromise through malicious web content. Google said many issues were found internally through fuzzing, sanitizers, and control-flow integrity tooling, while external researchers also reported multiple bugs through the bounty program, with rewards reaching **$43,000**.
May 29, 2026