Google this week promoted Chrome 149 to the stable channel with patches for 429 vulnerabilities, a record for a single Chrome refresh.
Already exceeding several times the total number of Chrome security fixes released in 2025, the surge in Chrome flaws is likely driven by AI use, which led Google to lower Chrome bug bounties in April.
Over 100 of the newly resolved security defects are critical and high-severity issues, most of which are use-after-free and insufficient validation of untrusted input flaws.
The most severe of the bugs is CVE-2026-10881 (CVSS score of 9.6), an out-of-bounds read and write weakness in the ANGLE graphics engine.
Remote attackers could exploit the vulnerability to escape Chrome’s sandbox via crafted HTML pages, potentially achieving code execution on the underlying operating system.
In its advisory, Google says it handed out a $97,000 bug bounty reward to the external researcher who reported the issue.
Two other critical-severity defects were reported by external researchers, namely CVE-2026-10882, a use-after-free issue in Network, which earned the reporting researcher a $43,000 reward, and CVE-2026-10883, an out-of-bounds write in ANGLE that was awarded a $5,000 bug bounty.
The remaining 19 critical-severity vulnerabilities addressed in this Chrome release were discovered by Google. Out of approximately 90 high-severity flaws, only 10 were reported by external researchers.
Approximately 40 of the over 300 medium and low-severity weaknesses resolved with the update were reported by external researchers.
Most of the patched weaknesses were use-after-free and insufficient validation of untrusted input issues. Numerous inappropriate implementation, insufficient policy enforcement, and out-of-bounds flaws were also addressed.
Google paid roughly $208,000 in bug bounty rewards to the reporting researchers, but the final amount could be much higher, as the company has yet to disclose the amounts for over a dozen reports.
The latest Chrome iteration is now rolling out as version 149.0.7827.53 for Linux and versions 149.0.7827.53/54 for Windows and macOS.
Related: Chrome 148 Update Patches 151 Vulnerabilities
Related: Cisco Warns of 7th SD-WAN Zero-Day Exploited in 2026
Related: Mirasvit Vulnerability Exploited to Execute Code on Magento Servers
Related: Cisco Warns of Available PoC for Critical Unified CM Vulnerability
