Google Patches 429 Chrome Vulnerabilities in Major Browser Update
Google has patched 429 vulnerabilities in its Chrome browser, an unusually large update for a stable Chrome release. Chrome 149 was released with fixes for security flaws affecting the browser’s rendering, graphics, networking and extension components.
The company promoted Chrome 149 to the stable channel for Windows, Mac and Linux on June 2. The updated versions are 149.0.7827.53 for Linux and 149.0.7827.53/.54 for Windows and Mac, according to Google’s Chrome Releases blog. Google said the update will roll out over the coming days and weeks, and it is keeping some bug details restricted until most users have received the fixes.
Google’s advisory lists more than 100 vulnerabilities rated critical or high severity. Many of the serious flaws involved familiar browser security issues, including use-after-free memory safety bugs and cases where Chrome components did not adequately validate untrusted input. With 429 fixes, Chrome 149 stands out even against recent large Chrome patch cycles. Google’s May 5 Chrome 148 stable release included 127 security fixes, while a May 27 Chrome 148 update addressed 151 vulnerabilities.
External researchers reported many of the serious flaws fixed in the release, including the two critical bugs awarded the largest bounties. The most critical issue listed by Google is CVE-2026-10881, a critical out-of-bounds read and write vulnerability in ANGLE, Chrome’s graphics abstraction layer. An anonymous researcher who reported the flaw received a $97,000 bug bounty for the discovery, according to Google. The vulnerability has a CVSS score of 9.6 and could allow a remote attacker to escape Chrome’s sandbox through a malicious HTML page.
The second critical issue listed by Google is CVE-2026-10882, a use-after-free vulnerability in Chrome’s Network component, part of a common class of memory safety flaws in browser security. Google said the flaw was reported on April 17 by a researcher who was awarded $43,000 for the discovery. While Google has not disclosed enough technical detail to assess the vulnerability’s full impact, the size of the award suggests the company considered the report significant.
The large Chrome update arrives as Google is reworking its vulnerability reward programs for this new era of AI-assisted security research. In April, Google said it was adjusting the Android and Chrome programs to put more emphasis on complex, high impact bugs and reports that include proposed patches, while lowering rewards for some lower complexity findings that AI tools may make easier to discover.
Google’s advisory does not say that any of the flaws fixed in Chrome 149 are being exploited in the wild, but the affected components show how much security risk is now concentrated inside the browser as an application runtime. Google’s list includes flaws in ANGLE, Network, FileSystem, GPU, Passwords, WebRTC, V8, WebAuthentication, Extensions and DevTools, among others. Because Chrome now sits at the center of web apps, authentication, remote access and developer workflows, browser patching has become an enterprise security task, not just a consumer maintenance issue.
Browser patching may be routine, but Chrome’s role in daily work means delayed updates can leave this large and frequently used attack surface highly exposed. Chrome 149 does not appear to be an emergency zero-day release, based on Google’s public notes, but its size and severity make it a patch cycle worth tracking closely.
