Google has released Chrome 149.0.7827.102/.103 for Windows and macOS, as well as Chrome 149.0.7827.102 for Linux, addressing 74 security vulnerabilities, including a high-severity zero-day flaw in the V8 JavaScript engine that the company says has been exploited in the wild.
The update began rolling out earlier today and will become available to all users over the coming days and weeks.
The most significant issue fixed in the release is tracked as CVE-2026-11645, an out-of-bounds memory access vulnerability in V8, Chrome's JavaScript and WebAssembly engine. The bug was reported on April 27, 2026, by security researcher 303f06e3, who received a $55,000 bug bounty award for the discovery.
Google stated that it is aware of an exploit for CVE-2026-11645 being used in real-world attacks. As is standard practice for vulnerabilities under active exploitation, the company has restricted access to detailed technical information until a majority of users have installed the fix.
Out-of-bounds memory access bugs occur when software reads from or writes to memory outside the boundaries of an allocated buffer. In V8, such flaws can be triggered while processing specially crafted JavaScript or WebAssembly content. Successful exploitation may allow an attacker to corrupt memory, cause browser crashes, leak sensitive information from memory, or potentially achieve arbitrary code execution within the browser process.
V8 memory corruption bugs are frequently targeted by threat actors because they can provide an initial foothold that can later be combined with other vulnerabilities to expand access or escape security boundaries.
Google has not disclosed whether the observed attacks were widespread or targeted, nor has it revealed who may be behind the exploitation activity.
Seventeen critical vulnerabilities fixed
Beyond the zero-day, the Chrome update addresses an unusually large number of severe security flaws. The release contains 17 critical vulnerabilities, most of which are use-after-free memory corruption bugs affecting various browser components.
Among the critical issues patched are:
- CVE-2026-11628 and CVE-2026-11629 in Ozone
- CVE-2026-11630 in File Input
- CVE-2026-11631 in Aura
- CVE-2026-11632 in TabStrip
- CVE-2026-11633, CVE-2026-11635, and CVE-2026-11641 in Bluetooth
- CVE-2026-11634 in Gamepad
- CVE-2026-11636 in Autofill
- CVE-2026-11637 and CVE-2026-11644 in Views
- CVE-2026-11638 in Printing
- CVE-2026-11639 in Compositing
- CVE-2026-11640 and CVE-2026-11678 involving integer overflows in libyuv
- CVE-2026-11642 in Web Apps
- CVE-2026-11643 in Proxy
The release also fixes dozens of high-severity vulnerabilities across browser subsystems, including Extensions, ServiceWorker, Media, Network, GPU, Dawn, WebRTC, PDF rendering, Bluetooth, Passwords, SVG, WebCodecs, Skia, and Payments.
A notable portion of the vulnerabilities were identified internally by Google's security teams and automated testing infrastructure, possibly suggesting AI tools were involved.
Given the presence of an actively exploited zero-day, Chrome users are advised to install the update as soon as it becomes available.
Users can manually trigger an update by navigating to Settings → About Chrome. After the browser downloads the latest version, a restart is required to complete installation.
Leave a Reply