Twelve of the 28 fixes in the Chrome 149 stable release are use after free defects, a class tied to remote code execution and sandbox escape; the source notes no in the wild exploitation for this batch.
Chrome's stable channel moved to version 149 on Thursday, and the SecurityWeek summary of the release describes a 28-vulnerability patch set in which memory-safety defects carry most of the weight. Twelve of the 28 fixes are use-after-free bugs, including three rated critical.
The distribution of severity tells part of the story. Five bugs are rated critical: use-after-free flaws in Core, DigitalCredentials, and WebMIDI, an insufficient-input-validation bug in Accessibility, and a heap buffer overflow in GPU. The other 23 are high-severity and break down as nine more use-after-free defects, four cases of insufficient validation of untrusted input, three inappropriate-implementation issues, two insufficient-policy-enforcement bugs, two out-of-bounds reads, one out-of-bounds write, one race condition, and one additional heap buffer overflow.
Use-after-free is a memory-safety class with a long track record of leading to remote code execution, data corruption, denial of service, and, when chained with an operating-system or privileged-component defect, sandbox escape. With twelve of the twenty-eight Chrome 149 fixes in that single class, the release is a clean sample of where Chrome's vulnerability surface still lives. Add the two heap buffer overflows, another memory-safety family, and fourteen of the twenty-eight fixes fall in the same broad category.
The SecurityWeek piece on Chrome 149 is explicit that Google is "actively battling" this class of memory-safety defect. The published excerpt is truncated on the broader engineering strategy, which is a real limit on what a single trade-press summary can establish. The primary record lives in the Google Chrome stable-channel release notes and the Chromium security advisory, and they would carry the exact CVE identifiers, affected version ranges, and external researcher credits that the trade-press write-up does not surface. The article also reports no in-the-wild exploitation for this specific batch of 28 bugs, and any framing that treats them as actively weaponized would outrun the evidence on hand.
What the source does support is a structural read. A 28-bug release in which 12 are use-after-free and 2 more are heap buffer overflows is consistent with a long-running pattern: memory-safety flaws dominate the volume of Chrome security work, and a single monthly patch set is a snapshot of that pattern rather than a break from it. The patch list is the surface. The underlying concentration is the story, and it points back at a defect class that the browser's security program has been working to retire.