Google has released Chrome 149 for Windows, macOS, Linux, and Android after fixing 74 security issues. The urgent item for everyday users is CVE-2026-11645, an out-of-bounds memory access flaw in V8. Google says an exploit for this CVE exists in the wild, so the practical response is simple: update Chrome and fully relaunch the browser.
For desktop Chrome, the protected builds are 149.0.7827.102/.103 for Windows and macOS and 149.0.7827.102 for Linux. Chrome for Android 149.0.7827.102 is rolling out through Google Play over the next few days. If Chrome has downloaded the update but has not been relaunched, the old vulnerable session can still be running.
Who Should Act
This is not only an administrator issue. Home users, office desktops, laptops left open for days, Chrome work profiles, and Android devices should all check their version. V8 bugs matter because JavaScript runs in ordinary web pages, ads, web previews, and other browser-delivered content.
| Situation | What to do |
|---|---|
| Chrome on Windows, macOS, or Linux | Open Settings -> About Chrome, let the update reach 149.0.7827.102/.103, and click Relaunch. |
| Chrome on Android | Check Google Play or the Chrome Play Store page. If the update is not visible yet, check again later during the rollout. |
| Another Chromium browser | Open that browser’s About/Update page. Do not assume it is protected only because Chrome has updated. |
| Suspicious tab, redirect, or download before updating | Close the browser, review downloads and extensions, and scan the Windows PC with a second-opinion tool such as Gridinsoft Anti-Malware. |
Why Relaunching Matters
Chrome often downloads security updates in the background, but the old browser code can keep running until Chrome restarts. That creates a common false sense of safety: the update is available, but the active browser session is still the vulnerable one. For an exploited-in-the-wild CVE, the relaunch button is part of the fix.
If Chrome is managed by an organization, check whether update policies also enforce a restart deadline. On a personal computer, open About Chrome, wait for the update status, click Relaunch, and confirm the browser reports 149.0.7827.102/.103 or newer after it opens again.
What to Check After Updating
- Open
chrome://settings/helpand verify the version number. - Use the Relaunch button or close every Chrome window before reopening the browser.
- Review extensions and disable anything unknown, recently added, or force-installed by a policy you do not recognize.
- Check recent downloads if you saw redirects, suspicious tabs, or unexpected files before updating.
- Run a full Windows scan if Chrome keeps opening pages by itself, new processes appear, or security software reports blocked outbound connections.
This update does not mean every Chrome user was attacked. It does mean waiting is the wrong tradeoff: the exploit exists, and a browser restart is the fastest way to remove the known vulnerable build from your active session.
FAQ
Which Chrome version fixes CVE-2026-11645?
Google lists desktop builds 149.0.7827.102/.103 for Windows and macOS and 149.0.7827.102 for Linux. Chrome for Android 149.0.7827.102 is also rolling out through Google Play.
Do I need to uninstall Chrome?
No. The normal action is to update and relaunch Chrome. Uninstalling is not needed unless you have separate signs of compromise, unwanted extensions, or browser-hijacker behavior.
Are Edge, Brave, Opera, and other Chromium browsers automatically fixed?
Not automatically. They use Chromium components, but each browser has its own update channel. Check the About/Update page for every Chromium-based browser you use.
References
- Google Chrome Releases. “Stable Channel Update for Desktop.” Google, published June 8, 2026, accessed June 9, 2026. https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0153744567.html
- Google Chrome Help. “Update Google Chrome.” Google Support, accessed June 9, 2026. https://support.google.com/chrome/answer/95414
