Chrome 149 Update Addresses Record 429 Security Vulnerabilities

Google has released Chrome version 149.0.7827.53/54 for Windows and macOS, as well as 149.0.7827.53 for Linux, which tackles over 400 security vulnerabilities, a record for any single update. According to the company, none of these vulnerabilities have been actively exploited thus far.

The update introduces a significant shift in the browser’s functionality, particularly within its PDF viewer. Users can now fill in, annotate, and sign PDF documents directly through Chrome. This development aligns with a wider trend in web browsers, as similar functionalities have been present in Firefox for some time.

While users eagerly await features such as vertical tab arrangement and an improved Reading Mode, these enhancements have yet to be rolled out to all users. Chrome usually conducts updates automatically, but manual checks can be performed through the menu item Help → About Google Chrome.

In addition to desktop versions, Google has also launched Chrome 149.0.7827.59 for Android, with equivalent security patches. The Extended Stable Channel for Windows and macOS has been updated to Chromium version 148.0.7778.254. Chrome 150 is anticipated to launch by late June.

According to Srinivas Sista in the Chrome Releases blog post, the discovery of 429 security flaws marks a dramatic increase over previous versions. This surge has sparked discussions about the role of advanced Artificial Intelligence tools, such as Google Big Sleep, in identifying vulnerabilities. Notably, Google identified 371 of these vulnerabilities itself, while independent security researchers flagged the remainder, for which they have been awarded a total exceeding $209,000 in bug bounties.

The update resolves 22 critical vulnerabilities, including CVE-2026-10881 to CVE-2026-10902, with a large portion being classified as 'use-after-free' vulnerabilities, particularly within various components such as the WebGL library Angle. Additional vulnerabilities categorised as high, medium, and low-risk numbered 87, 226, and 94 respectively. Among the critical flaws, CVE-2026-10881 has received special attention due to its potential for remote exploitation, which could allow attackers to escape the Chrome sandbox through crafted HTML pages.

As Google continues to enhance security in its applications, experts recommend that users ensure their browsers are updated and consider antivirus protections to bolster security against potential threats.