Ishan Crawford Google pushed Chrome 149 to the Stable channel on Thursday, June 11, 2026, with 28 security fixes, five of them rated critical and twelve of them use-after-free memory-safety defects. The release is rolling out as version 149.0.7827.114/.115 for Windows and macOS and 149.0.7827.114 for Linux, with the company warning that “access to bug details and links may be kept restricted until a majority of users are updated with a fix.”
Of the 28 fixes, 5 carry a critical severity rating and 23 are high. Most of the critical and high-severity issues cluster in Chrome’s graphics, video, and networking code, a pattern that has dominated Chrome’s monthly patches for the better part of a year.
The 28 Fixes in Chrome 149
Google’s release notes for the Chrome 149 stable channel release went out Thursday, June 11, 2026, listing 28 security fixes across version 149.0.7827.114/.115 for Windows and macOS and 149.0.7827.114 for Linux. The rollout is described as gradual and is expected to reach the user base “over the coming days/weeks.” The post is signed by Srinivas Sista for the Google Chrome team.
Five of the 28 security fixes are tagged critical. Three are use-after-free defects in Core, DigitalCredentials, and WebMIDI, cataloged as CVE-2026-12007, CVE-2026-12008, and CVE-2026-12011. A fourth, CVE-2026-12010, is a heap buffer overflow in the GPU component. The fifth, CVE-2026-12009, is an insufficient validation of untrusted input in the Accessibility component.
The remaining 23 flaws are rated high-severity and span Network, Media, Cast, Autofill, GPU, Video, Views, and other components. The pattern is familiar: most are use-after-free, with a smaller set of out-of-bounds reads and writes, insufficient validation, and policy enforcement gaps. Google’s notes leave a gap in the CVE sequence between 12020 and 12022, so the visible list contains 28 entries, not 29.
| CVE | Severity | Type | Component |
|---|---|---|---|
| CVE-2026-12007 | Critical | Use after free | Core |
| CVE-2026-12008 | Critical | Use after free | DigitalCredentials |
| CVE-2026-12009 | Critical | Insufficient validation of untrusted input | Accessibility |
| CVE-2026-12010 | Critical | Heap buffer overflow | GPU |
| CVE-2026-12011 | Critical | Use after free | WebMIDI |
A Dozen Memory-Safety Bugs in One Release
Twelve of the 28 fixes, three critical and nine high, are use-after-free defects, the same memory-safety class that has driven most of Chrome’s emergency patches for the past four years. SecurityWeek’s write-up of the release counts the UAFs the same way, calling them “a dozen of them, including three critical and nine high-severity defects.” The bug class can be exploited for remote code execution, data corruption, or denial-of-service, and on Chrome a successful UAF exploit can be chained with an operating-system bug to escape the browser’s sandbox. None of the 12 UAFs in this release have been confirmed as exploited in the wild, and Google makes no mention of in-the-wild attacks tied to any of the new CVEs. The release is a scheduled Stable channel update, not an emergency out-of-band patch.
The release notes also flag Chrome’s detection stack, a list that has appeared in similar form for years. “Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL,” the post reads. Each tool stresses memory operations differently, and Chrome’s build pipeline runs them continuously against the codebase.
That pipeline has been busy in 2026. SecurityWeek reports that “since the beginning of the year, Google patched over 700 bugs in Chrome, more than five times the total resolved in 2025. Five of them have been exploited as zero-days.” The same report attributes the surge in surfaced flaws to “the use of AI,” likely AI-assisted code review and automated variant analysis, a claim Google has not confirmed on the record. What is on the record is the raw volume, with Chrome closing flaws at a pace SecurityWeek describes as “more than five times” 2025’s total.
The breakdown of the 23 high-severity issues, per SecurityWeek’s analysis, is nine use-after-free, four insufficient validation of untrusted input, three inappropriate implementation, two insufficient policy enforcement, two out-of-bounds reads, one out-of-bounds write, one race condition, and one heap buffer overflow. Twelve of those 23 are UAF, and they sit in different subsystems each month. The distribution says the memory-safety class is structural, not localized to one feature.
- 5 critical, 23 high
- 12 of 28 are use-after-free defects
- 700+ Chrome CVEs patched since the start of 2026
2026’s Chrome Patch Tally Crosses 700 Bugs
Chrome 149 is the third Stable channel update Google has shipped in June 2026. The previous release, dated Monday, June 8, closed 74 security fixes, including a critical use-after-free in Ozone. A May desktop update closed 151 flaws. Across the year, the cumulative Chrome CVE count is more than five times the total resolved in 2025, with five of those bugs already confirmed as zero-days exploited in the wild before a patch shipped. Chrome 149 itself is a routine Stable channel release, not an emergency out-of-band patch.
The June 11 release does not join the zero-day list. Google’s notes say “access to bug details and links may be kept restricted until a majority of users are updated with a fix,” the same holdback language the company uses for any non-emergency update, and they make no claim of in-the-wild exploitation. The holdback is meant to keep attackers from reverse-engineering the patches before defenders have rolled them out, and for the five earlier 2026 zero-days, patches shipped faster and the disclosure language was sharper.
- 9 use-after-free defects
- 4 insufficient validation of untrusted input
- 3 inappropriate implementation
- 2 insufficient policy enforcement
- 2 out-of-bounds reads
- 1 out-of-bounds write
- 1 race condition in Safe Browsing
- 1 heap buffer overflow in GPU
27 of 28 Discovered by Google, Not Outside Hackers
Twenty-seven of the 28 fixes in the June 11 release are tagged “Reported by Google” in the release notes, the highest internal-discovery share for a Chrome monthly update in recent memory. A single external researcher, Henock Habte, an independent security researcher, gets credit for CVE-2026-12013, a high-severity use-after-free in Media reported on May 18, 2026. The asymmetry is a quiet shift for a program that has historically relied on outside bug hunters to surface the bulk of its flaws.
SecurityWeek puts the share the same way: “27 of the resolved security defects are marked as ‘reported by Google’, and only one as reported by an independent researcher.” Google’s Vulnerability Reward Program still pays bounties for externally reported Chrome bugs, and the program has not changed its terms. The shift is in volume, not policy, and Google’s internal sanitizer and fuzzer pipeline is producing more reports, faster, than outside researchers are.
The May-to-June timing helps explain it. The five critical flaws were reported internally between May 26 and May 30, 2026, and the high-severity internal reports cluster in the same window, a four-week sprint that produced 27 fixes. Outside research tends to land one or two critical bugs per month against Chrome, and the rest of the gap is now Google’s own tooling.
MiraclePtr, Rust, and the Long Path Off Memory Bugs
Google has been fighting use-after-free bugs in Chrome for years. SecurityWeek’s write-up notes that Google introduced MiraclePtr in 2022, a wrapper type that replaces raw pointers in C++ with a checked version that quarantines freed memory and turns a successful UAF write into a crash the renderer can survive. MiraclePtr is a mitigation, not a fix, and it has not stopped UAFs from being the dominant bug class in Chrome’s advisories. It has, however, narrowed the path from a memory-safety bug to a working exploit.
The longer-term answer is Rust. Google “is transitioning Chrome’s codebases to Rust to eliminate this type of security defect entirely,” per SecurityWeek. Rust’s ownership model enforces memory safety at compile time, and code written in Rust cannot produce a use-after-free in the same way C++ can, but the transition is partial, and the bulk of Chrome’s C++ is still C++.
That partial transition is visible in the June 11 release. The critical and high UAF list touches Core, DigitalCredentials, WebMIDI, Network, Media, Cast, Autofill, GPU, Video, and Views, with no single component dominating. Most of those subsystems still ship with large C++ surfaces, and new Rust modules are landing in pieces. MiraclePtr catches the write, the renderer survives, and the user sees nothing, but the underlying class of bug keeps arriving in code that has been audited many times before. The June 11 list puts UAFs in 10 separate components, which fits the structural pattern SecurityWeek described.
A different mitigation runs alongside MiraclePtr. Chrome’s sandbox confines the renderer process so that a code-execution bug in the browser does not immediately give an attacker control of the operating system, and a separate site-isolation feature puts each site in its own renderer. Both layers are visible in the structure of the fixes: a memory-safety bug in Network, Media, or GPU is one link in a chain, and the second link is usually a bug in the operating system. The recent SYSTEM-level Windows exploit circulating on GitHub showed the second link arriving on its own, with no Chrome involvement.
The defense-in-depth posture is also visible in the June 11 disclosure language. Google’s notes say “access to bug details and links may be kept restricted until a majority of users are updated with a fix.” The same notes name the detection tools and credit internal teams, but they do not name the bugs in technical detail, in a posture meant to publish enough to credit a finder without giving an attacker a working exploit.
Why a Browser Monoculture Magnifies the Risk
Chrome’s desktop market share was 65.16% globally as of the most recent Statcounter reading cited by industry trackers, ahead of Safari at 18.86% and Edge further back. A single Chrome vulnerability that allows code execution effectively reaches a majority of the web’s browser sessions. A successful sandbox escape from there compromises the underlying operating system, a fact Microsoft, Apple, and Linux distributions all share, and a reason the same vulnerability can produce patches across all three desktop platforms in the same week. The June 8 update, which closed 74 flaws, looks like the same pattern at higher volume.
Most Chrome users will receive 149.0.7827.114 or .115 without doing anything, and the rollout “over the coming days/weeks” is faster than the typical enterprise patch window. The holdback is meant to buy that time, and CISA’s three-day federal patch clock has narrowed the gap between a public CVE and a federal system with the fix applied. Chrome’s own auto-update is the second line of defense behind that clock, and for the 28 flaws in the June 11 release, the gap between disclosure and patch deployment is the exposure window that determines how many systems are still vulnerable when the technical details land.
Access to bug details and links may be kept restricted until a majority of users are updated with a fix.
Google’s Chrome 149 release notes, signed by Srinivas Sista for the Google Chrome team, June 11, 2026.
Frequently Asked Questions
Which Chrome version contains the June 11, 2026 security fixes?
Chrome 149.0.7827.114/.115 on Windows and macOS, and 149.0.7827.114 on Linux, per the Chrome 149 release notes. The rollout is gradual and is expected to reach most users over the coming days and weeks.
Are any of the 28 vulnerabilities being actively exploited?
Google’s release notes make no mention of in-the-wild exploitation for any of the 28 flaws, and the disclosure is a standard Stable channel security update rather than an emergency out-of-band patch. Five other Chrome bugs have already been confirmed as zero-days earlier in 2026, and none of them is in the June 11 batch.
How do I check whether my Chrome browser is up to date?
Open Chrome and navigate to chrome://settings/help. The build should read 149.0.7827.114 or 149.0.7827.115, and automatic updates are on by default. If the build is older, Chrome will fetch and apply the patch on the next scheduled check or immediately when the user clicks Relaunch from the About Chrome page.
What is a use-after-free vulnerability?
A use-after-free happens when a program keeps using a chunk of memory after it has been released back to the system. An attacker who can control what replaces that memory can redirect execution, and on Chrome a successful UAF exploit can be chained with an operating-system bug to escape the browser’s sandbox. Twelve of the 28 June 11 fixes patch use-after-free defects.
Which of the 28 flaws is the most serious?
All five critical-rated bugs sit in code paths that handle untrusted input from web pages or web APIs, and any of them could be the basis of a drive-by attack. CVE-2026-12010, the heap buffer overflow in the GPU component, is the closest match to the kind of defect that has produced past Chrome zero-days, since GPU bugs are reachable from any web page that uses WebGL or the 2D canvas.
Rimpact’s Gravel Tuned Mass Damper: A 400g, £229.99 Bet on Comfort 
NYT Strands Hints and Answers for Friday, June 12, 2026 
iPhone 18 Pro Max Leak Reveals Dark Cherry, Light Blue and Black 
WhatsApp Rolls Out Multi-Account Support to iPhone Users 
Wikipedia’s ‘Which Came First?’ History Game Arrives on iPhone 
UFC 6 Launches June 19 With a Brazilian Engineer’s Build Behind It