Google Patches Seven Critical Chrome RCE Flaws in Stable Update
Google released a Chrome Stable channel update to fix 33 vulnerabilities, including seven Critical flaws that could allow remote code execution if a user visits a malicious webpage. The update moves Chrome to 149.0.7827.155/.156 on Windows and macOS and 149.0.7827.155 on Linux, with Google rolling it out gradually. The most serious issues are largely use-after-free memory corruption bugs affecting components including WebShare, Digital Credentials, File Input, Passwords, and Web Authentication.
Named issues include CVE-2026-12437 in WebShare, CVE-2026-12439 and CVE-2026-12440 in Digital Credentials, CVE-2026-12442 in Passwords, and CVE-2026-12443 in Web Authentication. Google also patched High-severity flaws in WebRTC, Extensions, Safe Browsing, GPU, File System Access, Media, Downloads, and the Tab Strip, with risks ranging from data leakage and heap corruption to sandbox escape and exploit chaining. The company said technical details will remain limited until more users update and urged users and enterprises to install the patch and relaunch Chrome promptly.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Debian publishes DSA 6351-1 Chromium security update
Debian issued security advisory DSA 6351-1 for Chromium. This is a separate downstream vendor security update from the previously listed Google Chrome and Mozilla Firefox releases.
Mozilla releases Firefox 152 security updates fixing 40 vulnerabilities
Mozilla released Firefox 152 security updates on June 17, 2026, fixing 40 vulnerabilities, including 13 high-severity flaws such as use-after-free, privilege escalation, sandbox escape, JIT miscompilation, and other memory safety bugs. Mozilla also issued related updates for Firefox ESR, Thunderbird, and Firefox for iOS.
Google releases Chrome 149 security update fixing 33 vulnerabilities
Google released a Chrome Stable channel security update that fixes 33 vulnerabilities, including seven critical flaws that could enable remote code execution. The update advances Chrome to version 149.0.7827.155/.156 on Windows and macOS and 149.0.7827.155 on Linux, with rollout beginning gradually.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
Google Chrome Multiple Vulnerabilities
hkcert.org
Open source[SECURITY] [DSA 6351-1] chromium security update
lists.debian.org
Open sourceGoogle Chrome security advisory (AV26-609) - Malware News - Malware Analysis, News and Indicators
malware.news
Open sourceGoogle Chrome security advisory (AV26-609) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceChrome and Firefox Updated to Patch Critical, High-Severity Vulnerabilities - SecurityWeek
securityweek.com
Open sourceCritical Chrome Vulnerabilities Allow Attackers to Execute Arbitrary Code - Update Now!
cybersecuritynews.com
Open sourceChrome Security Update Patches 33 Vulnerabilities
securityonline.info
Open sourceChrome Releases: Stable Channel Update for Desktop
chromereleases.googleblog.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Google Chrome Patches 34 Flaws Including Multiple RCE Bugs
Google has released two Chrome Stable channel security updates that together patch **34 vulnerabilities**, including multiple flaws that could allow **remote code execution** if users are lured to malicious webpages. The first update fixed **26 issues**—including **three critical**, **22 high-severity**, and **one medium-severity** bugs—in components such as **WebGL**, **WebRTC**, **V8**, **Blink**, **Network**, **WebAudio**, **Dawn**, **PDFium**, **ANGLE**, and **Extensions**. Google said the most serious weaknesses involved memory corruption, including use-after-free, heap and stack buffer overflows, out-of-bounds access, integer overflows, type confusion, and insufficient validation of untrusted input. A follow-up update addressed **eight additional high-severity vulnerabilities** affecting **WebAudio**, **CSS**, **WebGL**, **Dawn**, **WebGPU**, **Fonts**, and **FedCM**, again dominated by memory-safety bugs that could lead to browser compromise. Google shipped versions `146.0.7680.153` and `146.0.7680.154` for Windows and macOS and `146.0.7680.153` for Linux in the first release, followed by `146.0.7680.164` and `146.0.7680.165` for Windows and macOS and `146.0.7680.164` for Linux in the second. The company said many flaws were found through **AddressSanitizer**, **MemorySanitizer**, and **libFuzzer**, paid a **$7,000** bounty for one WebAudio bug, and is withholding technical details until more users have updated to reduce the risk of exploit development.
Mar 24, 2026
Google Chrome fixes 151 flaws, including 22 critical remote code execution bugs
Google has released a major Chrome Stable update that patches **151 security vulnerabilities**, including **22 critical flaws** affecting desktop builds on Windows, macOS, and Linux, with related fixes also noted for Android and iOS. The patched desktop versions are `148.0.7778.216/217` for Windows, `148.0.7778.215/216` for macOS, and `148.0.7778.215` for Linux. Google and national cyber authorities urged users and administrators to update immediately, while the company temporarily withheld detailed technical information until most users receive the fixes. Google said none of the newly disclosed critical issues were known to be exploited in the wild at disclosure time. The most serious bugs include **CVE-2026-9872** in the GPU process, **CVE-2026-9873** in Network, **CVE-2026-9874** in Dawn, and **CVE-2026-9875** in WebGL, alongside numerous flaws in **ANGLE**, Bluetooth, Base, Proxy, media, and other browser components. The vulnerabilities span use-after-free, out-of-bounds read and write, integer overflow, race condition, and insufficient validation weaknesses that could enable **remote code execution**, sandbox escape, data corruption, or broader system compromise through malicious web content. Google said many issues were found internally through fuzzing, sanitizers, and control-flow integrity tooling, while external researchers also reported multiple bugs through the bounty program, with rewards reaching **$43,000**.
May 29, 2026
Chrome Desktop Update Fixes 28 Flaws Including Critical Memory Corruption Bugs
Google released a Stable Channel update for Chrome Desktop, upgrading Windows and Mac to **149.0.7827.114/.115** and Linux to **149.0.7827.114**, to address **28 security vulnerabilities** across components including Core, DigitalCredentials, Accessibility, GPU, WebMIDI, Network, DevTools, Extensions, Video, and Views. The release includes **five critical flaws**, notably multiple use-after-free bugs, a heap buffer overflow in GPU, and insufficient validation of untrusted input in Accessibility; Google said technical details will remain restricted until most users are patched or dependent third-party fixes are available. Published CVE records tied to the release highlight several high-severity issues: **`CVE-2026-12013`**, a Chrome Media use-after-free on Windows that could be triggered through a crafted HTML page; **`CVE-2026-12014`**, a Cast use-after-free that could enable a sandbox escape from the local network segment via malicious network traffic; **`CVE-2026-12016`**, a DevTools flaw that could allow sandbox escape after renderer compromise; and **`CVE-2026-12018`**, a Mojo issue that could lead to OS-level privilege escalation on Windows through a malicious file. The Canadian Centre for Cyber Security urged users and administrators running versions prior to the patched builds to review Google’s advisory and apply updates as they become available.
Jun 12, 2026