Chrome 149 Arrives With Record 429 Security Fixes
Google has released Chrome 149 for Windows, macOS, Linux and Android, delivering what may be the browser’s largest security update ever. The new version patches a staggering 429 security vulnerabilities, including 22 classified as critical, although Google says none of the flaws have been actively exploited in the wild so far.
The update also introduces new PDF editing capabilities, further expanding Chrome’s built-in document tools.
Chrome’s PDF Viewer Becomes More Powerful
The most visible feature in Chrome 149 is an upgrade to the browser’s integrated PDF viewer.
Users can now:
- Fill out PDF forms
- Add annotations
- Sign PDF documents directly within Chrome
The move continues an industry trend of turning browsers into lightweight PDF editors, reducing the need for third-party software for basic document tasks.
Delayed Features Still Missing
Several previously announced Chrome features remain unavailable for many users.
Among the delayed additions are:
- Vertical tab layouts
- An expanded Reading Mode that fills the entire browser window
Both features were originally expected earlier in 2026 but have yet to receive a broad rollout.
Record-Breaking Security Update
The biggest story surrounding Chrome 149 is security.
According to Google’s release information, the update fixes 429 vulnerabilities, more than any previous Chrome release.
Google internally discovered 371 vulnerabilities, while external security researchers identified and reported the remainder. Researchers have received a combined $209,000 in bug bounty rewards for their findings.
22 Critical Vulnerabilities Patched
Of the vulnerabilities addressed:
- 22 are classified as Critical
- 87 are classified as High risk
- 226 are classified as Medium risk
- 94 are classified as Low risk
The critical vulnerabilities include a series of flaws tracked as CVE-2026-10881 through CVE-2026-10902.
Many of these issues involve use-after-free (UAF) vulnerabilities, a class of memory-management flaw that can potentially allow attackers to execute malicious code.
Use-After-Free Bugs Lead the List
The most common vulnerability category fixed in Chrome 149 was use-after-free errors.
Google patched:
- 110 use-after-free vulnerabilities
- 88 input validation flaws
- 60 implementation-related security issues
These types of bugs are particularly concerning because they often affect core browser components and can sometimes be leveraged for remote code execution attacks.
WebGL Component Receives Major Attention
The browser component with the largest number of fixes was ANGLE, the WebGL translation layer responsible for graphics rendering.
Security fixes included:
- 37 vulnerabilities in ANGLE
- 18 vulnerabilities affecting browser extensions
- 18 vulnerabilities involving media processing
When codec-related flaws are included, media handling accounts for a total of 28 patched vulnerabilities.
AI Tools Helped Find More Bugs
The dramatic increase in discovered vulnerabilities is believed to be partly linked to Google’s growing use of AI-powered security research tools, including systems such as Big Sleep.
These automated tools are increasingly being used to identify coding mistakes, memory-management issues and other security weaknesses before attackers can exploit them.
Update Recommended Immediately
Chrome typically updates automatically, but users can manually check by navigating to:
Help → About Google Chrome
or
Settings → About Google Chrome
Google has also released corresponding updates for Android and iOS devices, while Chrome 150 is expected to arrive later this month.
Given the unusually large number of patched vulnerabilities—including dozens rated critical or high risk—users are strongly encouraged to update as soon as possible.