# Google's Chrome 149 Update Tackles Record-Breaking Number of Vulnerabilities

*Published June 8, 2026*
*Source: [https://www.securityweek.com/chrome-149-patches-429-vulnerabilities/](https://www.securityweek.com/chrome-149-patches-429-vulnerabilities/)*

## Executive Summary

Google has released Chrome 149, addressing 429 vulnerabilities, the most for a single update. The update fixes critical issues, including a severe out-of-bounds vulnerability, highlighting the need for immediate browser updates and user awareness.

## Article

Google has rolled out Chrome 149 to the stable channel, addressing 429 vulnerabilities, marking a record for a single update. This surge in security fixes has surpassed the total number of Chrome patches released in 2025. The increase in vulnerabilities is possibly linked to the integration of AI technologies, prompting Google to reduce bug bounties earlier this year.

Among the resolved issues, over 100 were classified as critical or high-severity. The most severe, identified as CVE-2026-10881, is an out-of-bounds read and write vulnerability in the ANGLE graphics engine with a CVSS score of 9.6. This flaw could allow remote attackers to escape Chrome's sandbox via specially crafted HTML pages, potentially executing code on the host operating system. For reporting this vulnerability, Google awarded an external researcher $97,000.

Two additional critical vulnerabilities were reported by external researchers: a use-after-free issue in the Network component, CVE-2026-10882, which earned a $43,000 reward, and an out-of-bounds write in ANGLE, CVE-2026-10883, meriting a $5,000 bounty. The rest of the critical flaws were discovered internally by Google.

Google's latest update, version 149.0.7827.53 for Linux and 149.0.7827.53/54 for Windows and macOS, also addressed around 90 high-severity vulnerabilities, with only 10 reported by external researchers. Furthermore, 40 out of over 300 medium and low-severity issues were externally reported. The update focused on rectifying use-after-free errors, inadequate validation of untrusted inputs, and various out-of-bounds and policy enforcement flaws.

In total, Google has paid approximately $208,000 in bug bounties for this update, although the final amount is set to increase as more reports are processed. This significant update underscores the importance of prompt browser updates and user vigilance to mitigate potential risks.