Chrome patches record 429 flaws, including a sandbox-escape RCE
Google shipped Chrome 149 with fixes for 429 security bugs, the most ever in a single Chrome release. More than 100 are rated critical or high. The worst, an out-of-bounds read and write in the ANGLE graphics engine that Chrome uses to render web pages, lets a booby-trapped website break out of the browser's protective sandbox and run code on the victim's computer; Google paid a $97,000 bounty for it. None are confirmed under attack yet, but a sandbox escape is the kind of bug attackers race to weaponize, so patching before that happens matters.
- Check
- Check the Chrome version on every managed endpoint (chrome://version or your MDM inventory) and confirm Chromium-based browsers like Edge and Brave are also updated.
- Affected
- Google Chrome before version 149 on Windows, macOS, and Linux. Worst flaw CVE-2026-10881 (CVSS 9.6), an ANGLE out-of-bounds read and write enabling sandbox escape.
- Fix
- Update Chrome to version 149 or later and relaunch to apply it. Push the update through enterprise policy and patch Edge, Brave, and other Chromium browsers.