Google has officially launched Chrome 149 on the stable channel, addressing a staggering 429 security vulnerabilities. This update marks a significant milestone with the highest number of fixes in a single Chrome release to date.
AI Influence on Increased Vulnerabilities
The rise in Chrome vulnerabilities this year, surpassing the total number of fixes in 2025, is attributed to the growing use of AI technologies. This development prompted Google to reduce bug bounty payouts in April.
Among the patched flaws, over 100 were identified as critical and high-severity, predominantly involving use-after-free errors and inadequate validation of untrusted inputs.
Critical Flaws and Bug Bounties
The most severe flaw, CVE-2026-10881, received a CVSS score of 9.6. This out-of-bounds read and write issue in the ANGLE graphics engine could allow remote attackers to escape Chrome’s sandbox and execute code on the operating system.
Google awarded $97,000 to the researcher who reported this vulnerability. Additionally, two other critical issues reported by external researchers, CVE-2026-10882 and CVE-2026-10883, were rewarded with $43,000 and $5,000, respectively.
Internal and External Research Contributions
Of the 19 critical vulnerabilities addressed, most were identified by Google’s internal team. Out of approximately 90 high-severity flaws, only 10 were reported by external researchers.
In the medium and low-severity categories, around 40 of over 300 vulnerabilities were reported by external sources. Key issues included use-after-free, inappropriate implementation, and out-of-bounds flaws.
Financial Rewards and Future Implications
Google has already distributed about $208,000 in bug bounties for this update. However, the final figure is expected to rise as more reports are processed.
The latest Chrome version, 149.0.7827.53, is now available for Linux, and versions 149.0.7827.53/54 are released for Windows and macOS. This extensive security overhaul emphasizes Google’s commitment to maintaining a secure browsing environment.
This update highlights the importance of continuous security assessments and the role of both internal and external researchers in safeguarding digital platforms.
