The Chrome 149 update patches 28 vulnerabilities, including five critical and 23 high-severity issues. Critical bugs include use-after-free vulnerabilities in Core, DigitalCredentials, and WebMIDI components, an insufficient validation flaw in Accessibility, and a heap buffer overflow in GPU. The high-severity bugs cover a range of memory safety and logic errors such as use-after-free, insufficient input validation, inappropriate implementation, policy enforcement failures, out-of-bounds memory access, race conditions, and heap buffer overflows. Use-after-free bugs are particularly notable as they can be exploited for remote code execution or sandbox escape when combined with other system vulnerabilities. Google has not observed exploitation of these vulnerabilities in the wild. The update is available as Chrome versions 149.0.7827.114 and 149.0.7827.115 for Windows and macOS, and 149.0.7827.114 for Linux.

The vulnerabilities fixed in Chrome 149 include critical memory safety bugs such as use-after-free and heap buffer overflows that could allow remote code execution, data corruption, denial-of-service, or sandbox escape under certain conditions. The presence of insufficient validation and policy enforcement flaws could lead to unauthorized actions or security bypasses. Although no active exploitation has been reported, the critical nature of these bugs poses a significant risk if left unpatched.

A security update to Chrome version 149.0.7827.114/115 has been released that addresses these vulnerabilities. Users and administrators should apply this update promptly to mitigate the risks. Since this is a client-side application, patching the browser is the primary and effective mitigation. No additional vendor advisories indicate alternative mitigations or that these issues are already mitigated without patching.