Key takeaway: The 429 patched vulnerabilities in Chrome 149 far exceed the entire patch count for 2025; AI-powered code analysis drives the discovery rate.
Google has released Chrome 149, fixing 429 security vulnerabilities in a single update – a historic record for a Chrome version. Over 100 of the flaws were classified as critical or high severity; key vulnerabilities are located in the ANGLE graphics engine.
Google has released version 149 of the Chrome browser to the stable channel, closing 429 security vulnerabilities – an unprecedented amount for a single update. This number already exceeds the total number of all Chrome patches released in 2025 by a multiple. The massive increase is primarily attributed to the intensive use of artificial intelligence in code analysis; Google had already lowered bug bounty rewards in April.
Over 100 of the vulnerabilities were classified as critical or high severity. The focus is on use-after-free vulnerabilities and insufficient validation of untrusted input data. The most critical vulnerability bears the identifier CVE-2026-10881 and achieves a CVSS score of 9.6. It affects a buffer read and write out-of-bounds error in the ANGLE graphics engine. Attackers can exploit this vulnerability through malicious HTML pages to bypass the Chrome sandbox and execute malicious code directly on the operating system. Google paid the security researcher who reported this flaw $97,000.
Two additional critical vulnerabilities were also reported externally: CVE-2026-10882, a use-after-free vulnerability in the networking component ($43,000 bounty), and CVE-2026-10883, an out-of-bounds write error in ANGLE ($5,000). The remaining 19 critical vulnerabilities come from Google’s internal security team. Of approximately 90 high-priority flaws, only ten came from external researchers; over 300 medium and low severity vulnerabilities stemmed largely from internal analysis.
Google paid a total of at least $208,000 in bug bounty rewards; the actual amount is higher, as rewards for over a dozen reports have not yet been publicly disclosed. Chrome 149 is being rolled out in versions 149.0.7827.53 and 149.0.7827.54. CISOs should prioritize this update in their browser rollout processes, particularly due to the sandbox bypass vulnerability in CVE-2026-10881.
Source: www.it-daily.net · Published 8 June 2026
Lumi AI News — AI-assisted curation per Art. 50 EU AI Act. Paraphrase and classification via Lumi News Pipeline v1.6.5.