Google Chrome 150 Patches 382 Security Flaws, Including 15 Critical Bugs
Google has released Chrome 150 to the stable channel with fixes for 382 security vulnerabilities, including 15 critical bugs that affect major browser components such as Extensions, GPU, WebUSB, Chromoting, Bluetooth, Browser, Views, Ozone, and Fullscreen.
The update is rolling out for Windows, macOS, and Linux as Chrome 150.0.7871.46 for Linux and 150.0.7871.46/.47 for Windows and Mac, according to the official Chrome Releases notes published on June 30, 2026.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Users and administrators should install the update as soon as it becomes available. Google says access to some bug details may remain restricted until most users receive the fix, which reduces the chance that attackers can quickly build exploits from public details.
Chrome 150 Fixes 382 Security Issues
The Chrome 150 stable update is unusually large. Google lists 382 security fixes, with the most severe bugs rated critical and many others rated high, medium, or low severity.
The critical issues include use-after-free flaws, type confusion, and insufficient validation of untrusted input. These bug classes can create memory corruption or unsafe browser behavior when triggered by malicious web content or attacker-controlled data.
Google also released Chrome 150 for Android. The Chrome for Android update says Android releases include the same security fixes as the corresponding desktop releases unless Google notes an exception.
| Platform | Updated version | Status |
|---|---|---|
| Windows | 150.0.7871.46/.47 | Rolling out over the coming days and weeks |
| macOS | 150.0.7871.46/.47 | Rolling out over the coming days and weeks |
| Linux | 150.0.7871.46 | Rolling out over the coming days and weeks |
| Android | 150.0.7871.63 | Rolling out through Google Play |
The 15 Critical Chrome Vulnerabilities
The 15 critical vulnerabilities are tracked as CVE-2026-13774 through CVE-2026-13788. Most are use-after-free flaws, a common memory-safety issue where software keeps using memory after it has already been freed.
Use-after-free bugs can become dangerous in browsers because attackers may use carefully crafted pages, extension content, device interactions, or rendering paths to corrupt memory and influence browser execution.
Google’s stable channel update lists the critical flaws across Extensions, GPU, Dawn, iOSWeb, WebUSB, Chromoting, ANGLE, Skia, Browser, Views, Bluetooth, Ozone, and Fullscreen.
| CVE | Component | Bug type | Severity |
|---|---|---|---|
| CVE-2026-13774 | Extensions | Use after free | Critical |
| CVE-2026-13775 | GPU | Use after free | Critical |
| CVE-2026-13776 | Dawn | Type confusion | Critical |
| CVE-2026-13777 | iOSWeb | Insufficient validation of untrusted input | Critical |
| CVE-2026-13778 | WebUSB | Use after free | Critical |
| CVE-2026-13779 | Chromoting | Use after free | Critical |
| CVE-2026-13780 | ANGLE | Insufficient validation of untrusted input | Critical |
| CVE-2026-13781 | Skia | Insufficient validation of untrusted input | Critical |
| CVE-2026-13782 | Browser | Use after free | Critical |
| CVE-2026-13783 | Views | Use after free | Critical |
| CVE-2026-13784 | Views | Use after free | Critical |
| CVE-2026-13785 | Bluetooth | Use after free | Critical |
| CVE-2026-13786 | Ozone | Use after free | Critical |
| CVE-2026-13787 | Chromoting | Use after free | Critical |
| CVE-2026-13788 | Fullscreen | Use after free | Critical |
Why These Chrome Bugs Matter
Browser vulnerabilities matter because the browser sits between users and untrusted content all day. A malicious page, file, extension, or web interaction can reach complex code paths in graphics, rendering, networking, permissions, and device APIs.
Several of the critical flaws affect high-risk areas. GPU, Dawn, ANGLE, and Skia all sit close to graphics and rendering. WebUSB and Bluetooth involve device-related surfaces. Extensions and Chromoting can matter heavily in enterprise environments.
Google’s Chromium Security page explains that the project works on secure architecture, bug fixing, hardening, and vulnerability coordination across the Chromium platform.
- Use-after-free flaws can cause memory corruption.
- Type confusion can make software treat one kind of object as another.
- Input validation flaws can let untrusted data reach unsafe code paths.
- Graphics and rendering bugs can be triggered by web content.
- Extension-related bugs can affect users and organizations with large extension fleets.
- Remote access components such as Chromoting deserve extra review in managed environments.
High-Severity Bugs Expand The Risk Surface
The 15 critical bugs are the headline, but Chrome 150 also fixes many high-severity vulnerabilities. These include issues in GPU, Downloads, SVG, WebAppInstalls, Chrome for iOS, Chromecast, QUIC, Updater, WebRTC, Media, PDF, Network, Passwords, and other components.
High-severity Chrome bugs may not always lead directly to full compromise by themselves. However, attackers often chain several browser bugs together to improve reliability, escape restrictions, or bypass user-facing security checks.
That is why administrators should avoid patching only when a public exploit appears. Large browser updates reduce the number of building blocks attackers can combine in future exploit chains.
| Component group | Examples in this update | Security concern |
|---|---|---|
| Rendering and graphics | GPU, Skia, ANGLE, Dawn, SVG | Memory corruption through crafted web content |
| Browser features | Fullscreen, Views, Browser, Downloads | Unsafe UI or browser-state behavior |
| Device and platform APIs | WebUSB, Bluetooth, WebRTC | Abuse of device-facing or communication features |
| Enterprise and remote access | Extensions, Chromoting, Updater | Fleet risk across managed devices |
| Mobile and casting | Chrome for iOS, Chromecast | Platform-specific exposure outside desktop |
No Public Exploitation Notice In This Chrome 150 Bulletin
Google’s June 30 Chrome 150 bulletin does not state that any of the 15 critical vulnerabilities are being exploited in the wild. That is an important difference from emergency Chrome updates where Google explicitly warns about active exploitation.
Even without a public exploitation warning, the update deserves urgency. Browser exploit details often become more useful to attackers after patches ship and researchers compare fixed and vulnerable code.
Chrome’s disclosure practice also limits access to bug details until enough users receive the update. That delay gives users and enterprises time to patch before technical information becomes easier to obtain.
How Google Found Many Of The Bugs
Google credits internal teams and outside researchers for the Chrome 150 fixes. The release notes also say many Chrome security bugs are found with tools such as AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL.
These tools help find memory errors, undefined behavior, bad assumptions, and parser bugs before attackers can use them. They are especially important in a browser because Chrome handles many file formats, web APIs, scripts, graphics paths, and device interfaces.
The Chromium security team also manages vulnerability reporting and responsible disclosure for Chrome and Chromium. That process helps keep unfixed bug details private while fixes move through the release pipeline.
What Users Should Do Now
Most Chrome users receive updates automatically, but the patch only protects the browser after the update installs and Chrome restarts. Users who keep browser windows open for long periods should check manually.
Google’s Chrome update help says desktop users can open Chrome, go to the three-dot menu, choose Help, open About Google Chrome, and relaunch when prompted.
Android users should install the update through Google Play. Since the Android stable update carries the same desktop security fixes unless otherwise noted, mobile users should not ignore the release.
- Open Chrome and go to Help > About Google Chrome.
- Let Chrome check for the latest update.
- Relaunch the browser when prompted.
- On Android, update Chrome through Google Play.
- On Linux, update Chrome through the system package manager.
- Restart managed browsers after enterprise deployment completes.
Enterprise Admins Should Prioritize Managed Rollout
Enterprises should test and roll out Chrome 150 quickly across managed Windows, macOS, Linux, Android, and iOS fleets where applicable. The update touches components that many organizations depend on, including extensions, remote desktop, device APIs, and graphics features.
Organizations using many browser extensions should review extension governance at the same time. Critical flaws in the Extensions component make it important to restrict unnecessary extensions and keep policies tight.
Chrome’s Enterprise and Education release notes can help administrators track broader Chrome changes alongside security updates, especially in environments with staged rollouts and policy testing.
| Enterprise area | Why it matters after this update | Recommended action |
|---|---|---|
| Extensions | Critical extension-related flaw fixed | Review allowlists and remove unused extensions |
| Remote desktop | Chromoting had critical use-after-free fixes | Review remote access policy and monitor usage |
| Device APIs | WebUSB and Bluetooth bugs were fixed | Restrict device permissions where possible |
| Graphics stack | GPU, Dawn, ANGLE, and Skia received critical fixes | Deploy the update broadly, not only to high-risk users |
| Update compliance | Large patch set increases risk from stale browsers | Track version reporting and force relaunch where needed |
Chrome 151 Confusion Explained
The security update is for Chrome 150, not Chrome 151. On July 1, Google also announced Chrome Beta 151 for iOS, but that beta announcement is separate from the June 30 stable security release.
This distinction matters for administrators. Stable-channel users should look for the Chrome 150 builds listed by Google, while beta users may see different version numbers that do not represent the same production rollout.
In managed environments, admins should confirm the installed browser version through their management console or endpoint inventory. A browser that has downloaded the update but has not relaunched may still run the older vulnerable process.
Bottom Line
Chrome 150 is a major security update. It fixes 382 vulnerabilities, including 15 critical flaws across core browser components that attackers could use as part of code execution or browser compromise chains.
Google has not flagged active exploitation for the critical flaws in this specific release, but the size and severity of the patch set make fast deployment important. Users should update and relaunch Chrome, while enterprises should verify fleet-wide compliance.
Google’s update instructions remain the simplest check for individuals, while enterprise teams should follow their normal testing and deployment channels using the enterprise release notes as a companion reference.
FAQ
It is a Chrome 150 stable-channel update. Google listed Chrome 150.0.7871.46 for Linux and 150.0.7871.46/.47 for Windows and Mac. Chrome 151 was in beta for iOS on July 1, 2026.
Google fixed 382 security issues in the Chrome 150 stable update, including 15 vulnerabilities rated critical.
The critical vulnerabilities affected Extensions, GPU, Dawn, iOSWeb, WebUSB, Chromoting, ANGLE, Skia, Browser, Views, Bluetooth, Ozone, and Fullscreen.
Google’s June 30 Chrome 150 bulletin did not state that any of the listed critical flaws are being exploited in the wild. Users should still update quickly because browser bugs can become easier to exploit after patches are released.
Desktop users can open Chrome, go to Help, select About Google Chrome, let the browser check for updates, and relaunch when prompted. Android users should update Chrome through Google Play.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages