Chrome Patches 429 Vulnerabilities, 2 Including Critical

Google has issued an urgent stable update for Chrome, addressing a substantial 429 vulnerabilities. This release, Chrome 149.0.7827.x, includes patches for 22 critical flaws affecting users across Windows, macOS, Linux, and Chrome for iOS. All users are strongly advised to update promptly.

Google has promoted Chrome 149.0.7827.x to the stable channel with one of the largest security patch bundles seen in a single release cycle, covering 429 distinct vulnerabilities.

The fixes span the browser engine, graphics and GPU layers, media pipeline, UI, networking stack and Chrome‑specific features such as Autofill, Password Manager, DevTools, WebView and Chrome for iOS.

As usual, Google is limiting access to detailed issue descriptions and bug tracker entries until most users have updated, to reduce the likelihood of threat actors weaponizing them.

This release targets desktop builds on Windows, Mac and Linux, alongside coordinated fixes for Chrome on iOS, Chromecast and other ecosystem components that share core code.

For enterprises, the update represents a broad hardening step across multiple devices, where Chrome is often the first line of defense against untrusted web content, SaaS apps, and cloud control planes.

Chrome Patches 429 Vulnerabilities

Of the 429 bugs, 22 are classified as critical, many of which are rooted in memory‑safety defects in graphics, GPU, and core browser components.

These include out‑of‑bounds read and write issues in ANGLE (such as CVE‑2026‑10881 and CVE‑2026‑10883) and a stack buffer overflow in the GPU stack (CVE‑2026‑10898).

Multiple use‑after‑free conditions across Network, Chromecast, Cast Streaming, Chromoting, Printing, FileSystem, GFX, Ozone and Chrome for iOS.

Such flaws are prime candidates for remote code execution, sandbox escape, and privilege escalation when combined with weaknesses in the renderer or JavaScript engine.

The presence of several critical issues affecting Chrome for iOS and casting components also raises the risk profile for users and organizations that rely on Chrome in multi‑device workflows, meeting rooms and hybrid work environments.

Beyond the critical set, Google has addressed a substantial number of high‑severity vulnerabilities, many of which are directly reachable from web content.

These include type confusion and implementation bugs in V8, use-after-free in WebRTC, Network, WebAuthentication, Audio, UI, and FileSystem, as well as integer overflows in Dawn, DevTools, Media, and V8.

Collectively, they provide building blocks for exploit chains that can pivot from browser compromise into persistence or lateral movement inside enterprise networks.

Hundreds of medium‑severity issues focus on insufficient validation of untrusted input, policy bypasses, uninitialized use, and incorrect security UI.

Data‑handling weaknesses in components such as Password Manager, WebView, CSS, SVG, USB, GPU, WebRTC, Safe Browsing, and others.

While individually less severe, these bugs align well with modern tracking and exploitation techniques, from leaking sensitive state to bypassing consent prompts or eroding isolation boundaries in complex deployments.

The update also delivers numerous low‑severity fixes in peripheral but important components, including TabStrip, Navigation, DevTools, Content Settings, Safe Browsing, Extensions, Enterprise features and various UI elements.

These issues often relate to incorrect security UI, insufficient policy enforcement and subtle edge‑case behavior that, if left unpatched, could still be abused in targeted scenarios or combined with higher‑impact bugs.

Google credits a broad community of independent researchers, academic labs and internal teams, emphasizing the role of sanitizers and fuzzing frameworks such as AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer and AFL in surfacing many of the memory‑safety defects.

Even with this proactive detection, the sheer volume of vulnerabilities in this release underlines the ongoing intensity of browser security work and the importance of timely patch adoption.

Given the concentration of critical and high‑severity vulnerabilities in components such as ANGLE, GPU, Network, Password Manager, WebRTC, and Chrome for iOS, organizations and end users should prioritize deploying Chrome 149.0.7827.x without delay.

Security teams should enforce automatic updates wherever possible, push the new build fleet‑wide through management tooling, verify coverage, and prepare to track any exploitation attempts tied to these CVEs once full technical details are made public.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.