Google Patches 33 Chrome Flaws, Seven Rated Critical, in Latest Security Update

Google released a Chrome security update June 16 that patches 33 vulnerabilities, seven of them rated critical, targeting flaws that could allow attackers to execute malicious code inside a user’s browser.

The fixes ship in Chrome Version 149.0.7827.155 and .156 for Windows and Mac, and version 149.0.7827.155 for Linux, with the rollout spreading across devices over the coming days and weeks.

Seven Critical CVEs

Six of the seven critical flaws are classified as “use after free” bugs — a memory vulnerability that occurs when a program continues referencing a block of memory after freeing it, creating an opening for attackers to inject and run their own code.

Those six affect Chrome components including WebShare, Digital Credentials (two separate bugs), File Input, the password manager, and Web Authentication.

The seventh critical vulnerability, CVE-2026-12438, sits in WebView and stems from a flawed implementation rather than a memory error.

The full list of critical CVEs:

– CVE-2026-12437 — Use after free in WebShare
– CVE-2026-12438 — Inappropriate implementation in WebView
– CVE-2026-12439 — Use after free in Digital Credentials
– CVE-2026-12440 — Use after free in Digital Credentials
– CVE-2026-12441 — Use after free in File Input
– CVE-2026-12442 — Use after free in Passwords
– CVE-2026-12443 — Use after free in Web Authentication

Google said it has no evidence attackers exploited any of these flaws before the patch reached users, placing this update within a routine security cycle rather than an emergency response.

26 High-Severity Bugs Also Fixed

The update also addresses 26 high-severity vulnerabilities across a wide range of Chrome subsystems, including Extensions, WebRTC (the real-time communication framework), Downloads, Safe Browsing, the Tab Strip, Serial, File System Access, and the GPU process.

Google’s internal security team discovered most of those bugs. Outside researcher Zhixin Tu flagged one exception — a flaw in the Media component logged as CVE-2026-12450.

The high-severity CVEs include heap buffer overflows in WebRTC (CVE-2026-12447, CVE-2026-12466), multiple use-after-free bugs in Extensions and Downloads, insufficient validation issues in Passwords and Input handling, and an uninitialized memory use flaw in the GPU process (CVE-2026-12469).

A race condition in Safe Browsing (CVE-2026-12454) and an incorrect security UI display in Passwords (CVE-2026-12458) round out the higher-risk entries.

How to Update

Users Can wait for Chrome to apply the update automatically or trigger it manually by navigating to the three-dot menu, selecting Help, then About Google Chrome.

Because Google stages rollouts gradually, the new version may not appear immediately even after a manual check.

Chrome held roughly a 65.8% share of the global browser market as of May 2026, according to StatCounter, making its patch cycles among the most widely watched in consumer software security.