Google released Chrome 149 on Wednesday, fixing 18 security vulnerabilities — four rated critical and 14 rated high severity. More than half are use-after-free flaws, a type of memory corruption that can potentially allow remote code execution.
In Chrome, use-after-free bugs can be combined with OS-level or browser process vulnerabilities to escape the sandbox. That makes them especially dangerous.
The remaining patched issues include out-of-bounds reads, inappropriate implementation, uninitialized use, and insufficient validation of untrusted input. The most severe bug was reported by an anonymous researcher. Google hasn’t disclosed the bounty amount yet.
Notably, 17 of the 18 vulnerabilities were discovered by Google’s own teams — a trend that’s held for the past couple of months, likely driven by increased use of AI in vulnerability research.
The release follows a massive batch of 429 Chrome patches in early June. Since then, the number of new vulnerabilities per release has dropped significantly into the lower double digits. Google says none of the newly patched flaws are being exploited in the wild.
Chrome 149.0.7827.196/197 is now rolling out for Windows and macOS, with version 149.0.7827.196 for Linux.
