Google Patches Critical Chrome Vulnerabilities Allowing Code Execution

Google has released a new security update for its Chrome browser, patching 28 vulnerabilities, including several critical flaws that could allow attackers to achieve remote code execution on affected systems.

The latest Stable channel update upgrades Chrome to version 149.0.7827.114/.115 on Windows and macOS, and to 149.0.7827.114 on Linux.

The rollout is being deployed gradually and is expected to reach users over the coming days and weeks. Google has also published a detailed changelog outlining all modifications included in this release.

Critical Vulnerabilities Enable Code Execution

Among the most serious issues patched are multiple critical memory-corruption vulnerabilities.

These include several use-after-free flaws in core components, including Core, DigitalCredentials, and WebMIDI, identified as CVE-2026-12007, CVE-2026-12008, and CVE-2026-12011.

Such vulnerabilities occur when memory is improperly managed, allowing attackers to manipulate freed memory regions.

Google also addressed a critical heap buffer overflow vulnerability in the GPU component, tracked as CVE-2026-12010, along with an insufficient validation of untrusted input issue in the Accessibility component, identified as CVE-2026-12009.

These flaws could be exploited by convincing users to visit specially crafted web pages, potentially enabling arbitrary code execution and leading to full system compromise.

In addition to the critical vulnerabilities, the update resolves numerous high-severity issues affecting a wide range of Chrome components.

Several of these involve use-after-free vulnerabilities across Network, Media, Autofill, GPU, Video, and Views modules. These bugs can lead to memory corruption and are often leveraged in exploit chains.

Other high-severity issues include out-of-bounds read and write vulnerabilities in components such as Codecs, Video, and VideoCapture, which could allow attackers to access or manipulate memory in unintended ways.

A heap buffer overflow vulnerability in the GPU component further increases the risk of exploitation. The update also fixes multiple instances of insufficient validation of untrusted input in DevTools, Extensions, Network, and Linux Toolkit Theming.

In addition, Google addressed improper policy enforcement issues in DevTools and Headless mode, as well as a race condition vulnerability in Safe Browsing.

These weaknesses could potentially be abused to bypass security restrictions or interfere with browser protections.

Although Google has not confirmed whether these vulnerabilities are being actively exploited in the wild, the presence of multiple memory-related flaws significantly raises the likelihood of exploitation.

Attackers frequently target such vulnerabilities through malicious websites, exploit kits, or compromised advertising networks.

To minimize risk, Google has restricted access to detailed vulnerability information until a majority of users have installed the update.

This approach helps prevent attackers from analyzing patches to develop exploits before systems are secured. Google credited both internal security teams and external researchers for identifying and reporting these vulnerabilities.

The company also emphasized the role of advanced detection tools such as AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL in discovering and mitigating security flaws during development.

Users are strongly encouraged to update Chrome immediately to the latest version to protect against potential threats. While automatic updates are typically enabled, users can manually verify their browser version through the Chrome settings panel.

Organizations should prioritize patch deployment across all systems to reduce exposure and prevent possible exploitation.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.