Google Patches 18 Severe Vulnerabilities, Including Four Critical, in Chrome 149 Security Update

Google Chrome 149 Update Patches 4 Critical and 14 High-Severity Flaws

CRITICAL
June 25, 2026
5m read
Patch ManagementVulnerability

Related Entities

Organizations

Google

Products & Tech

Google ChromeWebGLBlink

CVE Identifiers

CVE-2026-13028
CRITICAL
CVEDetails.com CVE.org
CVE-2026-13032
CRITICAL
CVEDetails.com CVE.org
CVE-2026-13033
CRITICAL
CVEDetails.com CVE.org
CVE-2026-13038
CRITICAL
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1204.001Execution

Malicious Link

T1059.007Execution

JavaScript

T1068Privilege Escalation

Exploitation for Privilege Escalation

Full Report

Executive Summary

Google has released Chrome version 149.0.7827.196 for Linux and 149.0.7827.196/197 for Windows and macOS, a critical security update that addresses 18 vulnerabilities. The update, released on June 25, 2026, is notable for the severity of the flaws it fixes: four are rated Critical and fourteen are rated High. The majority of these are memory corruption issues, specifically use-after-free vulnerabilities, which are notoriously dangerous as they can often be exploited to achieve arbitrary code execution. These critical flaws were discovered in key browser components including WebGL, Autofill, and Blink. Although Google has not reported any of these vulnerabilities as being actively exploited in the wild, their critical nature makes it imperative for all Chrome users and enterprise administrators to apply the update as soon as possible to prevent potential attacks.

Vulnerabilities Addressed

The Chrome 149 update is a significant security release, fixing a large number of severe flaws. The four critical vulnerabilities are:

  • CVE-2026-13028: A use-after-free vulnerability in WebGL, the API for rendering 3D graphics in the browser.
  • CVE-2026-13032: Another use-after-free vulnerability in WebGL.
  • CVE-2026-13038: A use-after-free vulnerability in the Autofill component, which handles form data.
  • CVE-2026-13033: An out-of-bounds read vulnerability in Blink InterestGroups, part of the browser's advertising API.

Ten of the eighteen total vulnerabilities were use-after-free bugs. This type of memory corruption flaw occurs when a program continues to use a pointer after the memory it points to has been freed. An attacker can exploit this by crafting a web page that causes the browser to write malicious code into that now-available memory space, potentially leading to a full system compromise.

The fourteen high-severity flaws also included numerous use-after-free bugs, as well as other issues affecting components like GPU, Bluetooth, and Web Authentication.

Affected Products

  • Product: Google Chrome browser
  • Affected Versions: All versions prior to 149.0.7827.196 (Linux) and 149.0.7827.196/197 (Windows and macOS).
  • Platforms: Windows, macOS, and Linux.

This update will also be rolled out to other Chromium-based browsers like Microsoft Edge, Brave, and Opera in the coming days and weeks.

Impact Assessment

An attacker who successfully exploits one of the critical use-after-free vulnerabilities could achieve remote code execution (RCE) within the context of the Chrome browser process. By chaining this with a sandbox escape vulnerability (another common type of browser flaw), an attacker could gain full control over the underlying operating system.

The typical attack scenario involves tricking a user into visiting a specially crafted, malicious website. No further user interaction would be required beyond visiting the page. A successful exploit could lead to:

  • Installation of Malware: The attacker could install spyware, ransomware, or other malicious software on the victim's system.
  • Data Theft: The attacker could steal sensitive information stored on the computer, including documents, passwords, and financial data.
  • Corporate Espionage: In a targeted attack, the exploit could be used to establish a foothold within a corporate network for long-term espionage.

The fact that Google's internal teams, likely using advanced AI-powered fuzzing tools, discovered 17 of the 18 flaws suggests that these are complex bugs that may soon be found by external security researchers or threat actors.

Cyber Observables — Hunting Hints

The following patterns may help identify unpatched systems or active exploitation:

Type
process_name
Value
chrome.exe
Description
Monitor for Chrome browser processes crashing unexpectedly or consuming an unusually high amount of CPU or memory, which can be a sign of a failed exploit attempt.
Type
log_source
Value
EDR/Antivirus Logs
Description
Look for alerts related to browser process behavior, such as Chrome attempting to write an executable file to disk or launch a command shell (cmd.exe, powershell.exe).
Type
network_traffic_pattern
Value
Connections to suspicious domains
Description
Correlate browser traffic with threat intelligence feeds. A user's browser connecting to a known malicious domain could be an indicator of compromise.

Detection Methods

  • Asset Management: The most effective detection method for this issue is to identify vulnerable systems. Use an asset management or endpoint management tool to scan all devices and report which ones are running a version of Chrome earlier than 149.0.7827.196/197.
  • Behavioral Analysis (D3-PA): EDR tools can be configured to detect post-exploitation behavior. Create detection rules for when a browser process like chrome.exe spawns a child process like powershell.exe or cmd.exe, or attempts to make modifications to the registry or file system outside of its normal sandbox. (D3FEND: D3-PA - Process Analysis)

Remediation Steps

  1. Update Chrome Immediately: The primary and only remediation is to update the Google Chrome browser. Chrome's built-in auto-update feature will handle this for most users. To manually trigger the update, go to Help > About Google Chrome. The browser will check for updates and prompt you to relaunch.
  2. Enforce Updates in Enterprise: In corporate environments, use endpoint management tools (e.g., Microsoft Intune, Jamf) or Group Policy to force the update across all workstations. Verify that the update has been successfully applied.
  3. Update Other Chromium Browsers: Users of other Chromium-based browsers should be on alert for corresponding updates from their respective vendors and apply them as soon as they become available.
  4. Restart the Browser: Simply downloading the update is not enough. The browser must be restarted for the patch to take effect.

Timeline of Events

1
June 25, 2026
Google releases the Chrome 149 security update to the Stable channel.
2
June 25, 2026
This article was published

MITRE ATT&CK Mitigations

Update Software

M1051enterprise

Applying the Chrome 149 update is the only way to remediate these vulnerabilities.

Mapped D3FEND Techniques:

D3-SU

Restrict Web-Based Content

M1021enterprise

Using a web filter to block access to known malicious or untrusted websites can prevent users from reaching the malicious content needed to exploit these flaws.

Mapped D3FEND Techniques:

D3-DNSDL

Application Isolation and Sandboxing

M1048enterprise

The browser's built-in sandbox is a critical security feature that contains the impact of an exploit. While not a user-configurable mitigation, its effectiveness is key to browser security.

D3FEND Defensive Countermeasures

Software Update

D3-SUMaps to MITREM1051
D3FEND

The primary and most effective countermeasure is to ensure all instances of Google Chrome are updated to version 149.0.7827.196/197 or later. In an enterprise setting, rely on automated endpoint management tools to enforce this update. Configure policies to force the update and a subsequent browser restart within a defined, short timeframe (e.g., 24-48 hours). For end-users, enable Chrome's auto-update feature and manually check for updates by navigating to 'About Google Chrome' in the settings menu. Since these are severe memory corruption flaws, there are no effective compensating controls other than patching. The speed of deployment is critical to close the window of opportunity for attackers.

Process Analysis

D3-PAMaps to MITREM1040
D3FEND

To detect potential exploitation of these or future browser vulnerabilities, security teams must monitor for post-exploitation behavior using an EDR. The most critical indicator of a successful browser exploit and sandbox escape is a browser process (chrome.exe) spawning a child process that it should not, such as a command shell (cmd.exe, powershell.exe) or a script host (wscript.exe). Create a high-priority detection rule for this specific parent-child process relationship. This behavioral rule is highly effective because it is agnostic to the specific CVE and focuses on the attacker's objective after the exploit: to break out of the sandbox and execute code on the host system.

DNS Denylisting

D3-DNSDLMaps to MITREM1021
D3FEND

As a defense-in-depth measure, use a DNS filtering or web security gateway to prevent users from accessing malicious websites that would host the exploit code. While this won't fix the underlying vulnerability in Chrome, it can prevent the first step in the attack chain. Subscribe to reputable threat intelligence feeds that provide lists of known malicious and newly registered domains. Configure your web gateway to block access to these categories. This reduces the likelihood that a user, even one with a vulnerable browser, will be able to navigate to the attacker's malicious landing page, thus preventing the exploit from being delivered.

Timeline of Events

1
June 25, 2026

Google releases the Chrome 149 security update to the Stable channel.

Sources & References

Chrome 149 Update Resolves 18 Severe Vulnerabilities
SecurityWeekJune 25, 2026
Chrome 149 Security Update — Patch for Critical Flaws that Enable Code Execution Attacks
Cybersecurity NewsJune 25, 2026
Chrome 149 Security Update Fixes 18 Critical Vulnerabilities
News4HackersJune 25, 2026
Chrome 149 Security Update
Security OnlineJune 25, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

Google ChromeVulnerabilityPatch ManagementUse-after-freeRemote Code ExecutionCVE-2026-13028CVE-2026-13038

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.