Chrome 149 and Spring HATEOAS Security Updates Address Critical Vulnerabilities and UAF Bugs
- Jun 12
- 2 min read
Key Findings
Chrome 149 addresses 28 security vulnerabilities across desktop platforms, with 5 critical flaws that could enable arbitrary code execution
Critical use-after-free bugs dominate the patch set, affecting Core, DigitalCredentials, WebMIDI, and GPU components
One critical flaw involves insufficient input validation in Accessibility features, while another is a heap buffer overflow in GPU
23 high-severity issues span Network, Media, Cast, Autofill, DevTools, and Extensions components
Most vulnerabilities identified internally by Google; one use-after-free in Media (CVE-2026-12013) reported by independent researcher Henock Habte
Spring HATEOAS flaws CVE-2026-41006 and CVE-2026-41007 impact versions 1.5 through 3.0, enabling data manipulation and heap exhaustion attacks
Fixed versions available: Spring HATEOAS 2.5.3 and 3.0.4
Background
Google's Chrome security team regularly releases patches to address emerging threats. This update represents a significant maintenance cycle with particular focus on memory safety issues. Spring HATEOAS, a Java library for building hypermedia-driven APIs, also requires immediate attention due to design flaws in data handling and caching mechanisms.
Chrome 149 Critical Use-After-Free Vulnerabilities
Five vulnerabilities earned critical ratings in this release. CVE-2026-12007 exploits use-after-free in the Core component, while CVE-2026-12008 affects DigitalCredentials through the same mechanism. WebMIDI suffers from an identical flaw classified as CVE-2026-12011. A heap buffer overflow in the GPU component (CVE-2026-12010) and insufficient input validation in Accessibility features (CVE-2026-12009) round out the critical set. These flaws could allow attackers to execute arbitrary code or completely crash the browser, potentially compromising system security.
Chrome 149 High-Severity Bug Landscape
Twenty-three high-severity issues extend across multiple Chrome components. Use-after-free conditions recur frequently, impacting Autofill, GPU, Video, and Views. Network, Media, Cast, and Extensions components also received fixes. DevTools and Headless mode patches address policy enforcement gaps, while Safe Browsing received attention for race condition vulnerabilities.
Spring HATEOAS Data Validation Bypass
CVE-2026-41006 stems from improper handling of Collection JSON and UBER data types. The vulnerability creates an internal path that bypasses essential validation checks during runtime. Applications exposing data models with weak setters become susceptible to unauthorized modification. Attackers can manipulate data with minimal effort, potentially compromising application integrity and confidentiality.
Spring HATEOAS Unbounded Cache Heap Exhaustion
CVE-2026-41007 results from an unbounded static cache that stores incoming strings without memory limits. Attackers sending malicious links can rapidly fill heap space, triggering denial of service through server crashes. This design flaw makes applications vulnerable to resource exhaustion attacks that degrade performance and availability.
Recommended Actions
Chrome users should verify their version matches 149.0.7827.114 or later. Restarting the browser completes automatic updates. Given the volume of critical vulnerabilities, delaying this update significantly increases exploitation risk. Java developers using Spring HATEOAS must upgrade to version 2.5.3 or 3.0.4 immediately, with older versions requiring support plan arrangements. Organizations should prioritize these patches across their infrastructure to maintain security posture against active threats.
Sources
https://securityonline.info/chrome-149-security-update-28-flaws/
https://securityonline.info/spring-hateoas-flaws/

Comments