Google Chrome 150 fixes 27 vulnerabilities – Update Now
Google has released an urgent security update for Chrome’s Stable channel, advancing desktop builds to 150.0.7871.114/.115 on Windows and macOS and 150.0.7871.114 on Linux.
The July patch addresses 27 vulnerabilities, many involving memory-safety defects such as use-after-free and uninitialized memory, that Google rates as critical or high severity.
Because several of the flaws could enable remote code execution (RCE) via specially crafted web content, administrators and end users should prioritize immediate updates as the rollout proceeds over the coming days.
At the center of the release are multiple use-after-free (UAF) bugs, notably CVE-2026-15112 in Ozone and CVE-2026-15129 in Views, both classified as critical.
Google Chrome 150 fixes 27 vulnerabilities
UAF vulnerabilities occur when code references freed memory, creating opportunities for attackers to corrupt heap state, divert control flow, or forge objects that lead to code execution within the renderer or other privileged browser subsystems.
When paired with sandbox-escape techniques, such chains can progress from arbitrary script execution to full system compromise on poorly hardened hosts.
The update’s scope underscores how broad Chrome’s attack surface has become: affected components include V8 (the JavaScript engine), WebRTC, Autofill, Extensions, DOM handling, media codecs, WebGL, and various user-interaction features such as Forms and Passwords.
Beyond UAFs, the patched defects include uninitialized memory use, integer overflows, out-of-bounds reads/writes, type and implementation logic errors, and insufficient validation of untrusted input.
Several media-processing and graphics-related bugs (Codecs, WebGL) highlight the persistent risk of attackers weaponizing crafted media or rendering primitives to trigger memory corruption.
Google’s security bulletin credits both internal teams and external researchers for reporting issues between April and June 2026, with select reporters receiving bug bounties.
| CVE ID | Vulnerability Type | Component | Reported By |
|---|---|---|---|
| CVE-2026-15132 | Uninitialized Use | V8 | Pierre Langlois (Arm) |
| CVE-2026-15133 | Use after free | InterestGroups | Jihyeon Jeong (Seoul National University) |
| CVE-2026-15108 | Integer overflow | Extensions API | |
| CVE-2026-15109 | Uninitialized Use | ANGLE | |
| CVE-2026-15110 | Use after free | Extensions | |
| CVE-2026-15111 | Use after free | Views | |
| CVE-2026-15113 | Use after free | Autofill | |
| CVE-2026-15114 | Out of bounds read/write | Codecs | |
| CVE-2026-15115 | Insufficient validation | WebAppInstalls | |
| CVE-2026-15116 | Use after free | Actor | |
| CVE-2026-15117 | Use after free | Payments | |
| CVE-2026-15118 | Use after free | Input | |
| CVE-2026-15119 | Inappropriate implementation | GetUserMedia | |
| CVE-2026-15120 | Use after free | Core | |
| CVE-2026-15121 | Use after free | WebRTC | |
| CVE-2026-15122 | Insufficient validation | Codecs | |
| CVE-2026-15123 | Insufficient data validation | DOM | |
| CVE-2026-15124 | Insufficient policy enforcement | Passwords | |
| CVE-2026-15125 | Inappropriate implementation | Forms | |
| CVE-2026-15126 | Use after free | Forms | |
| CVE-2026-15127 | Inappropriate implementation | WebGL | |
| CVE-2026-15128 | Inappropriate implementation | Forms | |
| CVE-2026-15130 | Insufficient policy enforcement | Navigation |
Notable submissions include a high-reward IndexedDB use-after-free (CVE-2026-15107) reported by zh1x1an1221 at Ant Group’s Tianqiong Security Lab, as well as various V8 and component reports from independent researchers.
Google has withheld detailed exploitability guidance for certain bugs until updates reach a broad user base to reduce the risk of active exploitation.
From an exploitation perspective, UAFs and uninitialized reads are attractive to attackers because they can often be shaped by attacker-controlled input to produce predictable heap layouts or to leak pointers, critical prerequisites for bypassing modern mitigations such as ASLR and Control Flow Integrity.
Attack chains frequently stitch together a memory-corruption primitive in the renderer or media stack with a sandbox escape or privileged process bug to achieve persistent code execution. That makes quick patching essential for both consumer devices and enterprise deployments.
MIitigation
Recommended actions for organizations and users
- Update immediately: accept the Chrome Stable update or deploy patched binaries via enterprise management channels.
- Enforce automatic updates where possible to accelerate protection across endpoints.
- Harden browser policies: restrict or disable unnecessary extensions, block untrusted plugins, and disable automatic handling of untrusted file types.
This release is a reminder that modern browsers remain a rich target for attackers due to their complexity and privileged functionality.
Rapid adoption of the Chrome 150.0.7871.114/.115 update, combined with operational hardening and monitoring, will reduce exposure while Google continues its work with fuzzing tools and memory-safety instrumentation to proactively find and fix such defects.
No Comment! Be the first one.