
Google Chrome Fixes 28 Security Vulnerabilities: Users Urged to Update Immediately
Google has released a new security update for Chrome, one of the world’s most widely used web browsers. The update addresses a total of 28 security vulnerabilities, several of which have been classified as high-severity and critical issues.
According to security experts, successful exploitation of these vulnerabilities could allow cybercriminals to remotely execute malicious code on users’ devices, gain access to sensitive information, or take complete control of affected systems.
With this release, Chrome has been updated to version 149.0.7827.114/.115 for Windows and macOS, and 149.0.7827.114 for Linux.
What Are the Most Critical Vulnerabilities?
The most serious vulnerabilities addressed in this update are memory management flaws. In particular, the use-after-free vulnerabilities tracked as CVE-2026-12007, CVE-2026-12008, and CVE-2026-12011, affecting the Core, DigitalCredentials, and WebMIDI components, deserve special attention.
These vulnerabilities occur when a program continues to access memory after it has already been freed. Attackers can exploit this condition to manipulate memory contents or achieve arbitrary code execution.
In addition, Google patched CVE-2026-12010, a critical heap buffer overflow vulnerability in the GPU component. This flaw may allow data to be written beyond the allocated memory boundaries, potentially causing application crashes or enabling arbitrary code execution.
Another important vulnerability, CVE-2026-12009, was identified in the Accessibility component. It is caused by insufficient validation of untrusted input, which could allow attackers to bypass certain security mechanisms.
How Could These Vulnerabilities Be Exploited?
To exploit these vulnerabilities, an attacker may only need to persuade a user to visit a specially crafted malicious webpage. Such pages may be distributed through phishing emails or messages, malicious advertising networks, compromised websites, or fraudulent links.
Once a victim visits the malicious webpage, an attacker may exploit the browser vulnerabilities to execute arbitrary code, steal sensitive information, or install additional malware on the affected system.
Additional High-Severity Vulnerabilities Have Also Been Patched
The security update is not limited to critical vulnerabilities alone. Google has also fixed multiple high-severity flaws affecting the Network, Media, Autofill, GPU, Video, and Views components.
Additional issues addressed include:
- Out-of-Bounds Read/Write vulnerabilities in the Codecs, Video, and VideoCapture components;
- Insufficient input validation in the DevTools, Extensions, Network, and Linux Toolkit Theming modules;
- Security policy implementation flaws affecting DevTools and Headless mode;
- A Race Condition vulnerability in the Safe Browsing security mechanism.
In certain scenarios, these vulnerabilities could have enabled attackers to bypass security restrictions, weaken browser protections, or gain unauthorized access to process memory.
Are These Vulnerabilities Being Actively Exploited?
At this time, Google has not confirmed any reports of these vulnerabilities being exploited in real-world attacks.
However, cybersecurity experts note that memory corruption vulnerabilities remain among the most frequently targeted flaws by cybercriminals.
Experience has shown that similar browser vulnerabilities are often incorporated into exploit kits and leveraged in phishing campaigns and malicious advertising attacks.
For this reason, Google continues its policy of withholding detailed technical information about newly patched vulnerabilities until the majority of users have installed the security update. This approach helps reduce the likelihood that threat actors will reverse-engineer the fixes and develop exploits before users are protected.
Recommendations for Organizations and Users
To reduce potential security risks, organizations and users are strongly encouraged to:
- Update Google Chrome to the latest available version immediately;
- Use centralized patch management solutions to ensure timely deployment of updates across workstations and servers;
- Avoid opening links received from unknown or untrusted sources;
- Increase employee awareness of phishing attacks through regular security awareness training;
- Deploy Endpoint Detection and Response (EDR) solutions alongside reputable antivirus software;
- Keep operating systems and all other software up to date;
- Review browser security policies and follow the principle of least privilege.
Google’s latest security update significantly strengthens Chrome’s security by addressing 28 vulnerabilities, including several critical flaws that could potentially allow remote code execution.
Maintaining up-to-date software remains one of the most effective cybersecurity practices. Therefore, all users and organizations are strongly advised to install the latest version of Google Chrome as soon as possible and follow current security best practices to reduce the risk of cyberattacks.



