Chrome Update Fixes 27 Security Vulnerabilities, Including Two Critical Flaws
Google has released a new Chrome Stable update for desktop that fixes 27 security vulnerabilities, including two critical use-after-free flaws in the browser’s Ozone and Views components.
The July 8 Chrome Stable update moves Chrome to version 150.0.7871.114/.115 on Windows and macOS, and 150.0.7871.114 on Linux. Google says the rollout will happen over the coming days and weeks.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The two critical flaws are tracked as CVE-2026-15112 and CVE-2026-15129. Both are use-after-free vulnerabilities, a memory-safety bug class that can cause serious browser compromise if attackers find a reliable exploitation path.
What Google Fixed in This Chrome Update
The update covers a wide range of Chrome components, including Ozone, Views, V8, ANGLE, Extensions, Autofill, Codecs, WebRTC, Payments, Forms, DOM, Navigation, and IndexedDB.
Google linked the release to its Chrome Security Page and said some bug details will stay restricted until most users have received the fix. This is standard practice for browser updates because public technical details can help attackers build exploits before users patch.
The flaws include memory corruption issues, insufficient validation of untrusted input, inappropriate implementation bugs, and policy enforcement weaknesses. Google did not state in the release notes that any of the 27 issues were being exploited in the wild at the time of publication.
| Chrome platform | Updated version | Rollout status |
|---|---|---|
| Windows | 150.0.7871.114/.115 | Rolling out over the coming days and weeks |
| macOS | 150.0.7871.114/.115 | Rolling out over the coming days and weeks |
| Linux | 150.0.7871.114 | Rolling out over the coming days and weeks |
The Two Critical Chrome Flaws
CVE-2026-15112 is a use-after-free vulnerability in Ozone, Chrome’s platform abstraction layer. CVE-2026-15129 is a use-after-free vulnerability in Views, a framework used for user interface elements in Chromium-based browsers.
Use-after-free bugs happen when software continues to use memory after it has already been released. In browsers, this type of flaw can become dangerous because attackers may try to trigger memory corruption through a crafted web page, document, media file, or other browser-handled content.
The CVE Program gives vendors and researchers common identifiers for publicly disclosed security vulnerabilities. In this case, the two critical identifiers help security teams track whether devices have received the Chrome fix.
| CVE ID | Issue type | Affected component | Severity |
|---|---|---|---|
| CVE-2026-15112 | Use-after-free | Ozone | Critical |
| CVE-2026-15129 | Use-after-free | Views | Critical |
| CVE-2026-15132 | Uninitialized use | V8 | High |
| CVE-2026-15108 | Integer overflow | Extensions API | High |
| CVE-2026-15121 | Use-after-free | WebRTC | High |
High-Severity Bugs Also Affect V8, WebRTC, Extensions, and Forms
The update also fixes 23 high-severity vulnerabilities. Several involve use-after-free bugs in components such as Autofill, Extensions, Forms, Payments, Input, Core, WebRTC, Views, and InterestGroups.
One notable high-severity issue is CVE-2026-15132, an uninitialized use vulnerability in V8, Chrome’s JavaScript engine. V8 flaws often draw attention because JavaScript runs directly on websites and can become part of browser exploit chains.
Another high-severity issue, CVE-2026-15108, affects the Extensions API through an integer overflow. Extension-related flaws matter because browser extensions can hold powerful permissions and interact with sensitive browsing activity.
- Memory-safety bugs affect Ozone, Views, Autofill, WebRTC, Payments, Forms, Core, Input, and Extensions.
- Input validation flaws affect WebAppInstalls, Codecs, DOM, and Navigation.
- Implementation issues affect GetUserMedia, WebGL, and Forms.
- Policy enforcement flaws affect Passwords and Navigation.
- Google credited both internal work and external researchers for parts of the release.
Why Browser Memory Bugs Need Fast Patching
Browser vulnerabilities carry high risk because Chrome processes untrusted web content every day. A successful exploit can start with a malicious site, a compromised legitimate page, or content loaded through ads, redirects, or embedded media.
Chrome’s sandbox and other hardening features reduce the damage a single bug can cause, but attackers often chain vulnerabilities together. A memory corruption flaw in the renderer can become more dangerous when combined with a sandbox escape or privilege escalation bug.
Google said many Chrome security bugs are detected with tools such as AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL. The Chrome Stable notes also show why automated testing remains important for a browser with many exposed components.
| Bug category | Why it matters |
|---|---|
| Use-after-free | Can corrupt memory after the browser reuses released memory |
| Uninitialized use | Can expose unpredictable memory state or trigger unsafe behavior |
| Integer overflow | Can break size calculations and lead to unsafe memory access |
| Insufficient validation | Can let unexpected input bypass browser assumptions |
| Policy enforcement issue | Can weaken security boundaries or browser rules |
How to Update Chrome Now
Chrome usually installs updates in the background, but users still need to restart the browser to apply them. Google’s Chrome update instructions say users can check manually by opening Chrome, selecting the menu in the top-right corner, and going to Help, then About Google Chrome.
On the About Google Chrome page, the browser checks for updates and shows the current version number. If Chrome downloads an update, users should select Relaunch to finish applying it.
Linux users should also make sure Chrome has received the update through their package manager. Enterprises should verify update status through endpoint management tools, especially on systems where browser restarts get delayed for days.
- Open Chrome on your computer.
- Select the three-dot menu in the top-right corner.
- Go to Help.
- Select About Google Chrome.
- Install the available update and relaunch Chrome.
What IT Teams Should Do
Organizations should treat this as a priority browser update because it contains two critical vulnerabilities and many high-severity bugs across exposed browser components.
Security teams should confirm that Windows, macOS, and Linux endpoints have moved to Chrome 150.0.7871.114 or later, with Windows and macOS also receiving the 150.0.7871.115 build depending on channel and rollout timing.
The Chromium security guidance explains that Chrome’s defense model depends on multiple layers, including sandboxing, exploit mitigations, safe handling of web content, and timely updates. The CVE list helps teams map these flaws to vulnerability scanners, patch dashboards, and internal remediation tickets.
- Audit Chrome versions across managed endpoints.
- Force browser restarts where users have delayed updates.
- Monitor vulnerability scanners for the listed CVE identifiers.
- Prioritize internet-facing and high-risk user groups first.
- Review extension policies because one high-severity flaw affects the Extensions API.
Why Users Should Not Wait
Google has not shared full technical details for many of the vulnerabilities yet, which reduces the chance of immediate copycat exploitation. That restriction will not last forever, and attackers often reverse-engineer patches after release.
For everyday users, the safest step is simple: update Chrome and restart the browser. Leaving Chrome open for long periods can delay the final installation of security updates, even when the browser has already downloaded them.
The same advice applies to admins managing shared workstations, developer machines, and employee laptops. A browser patch does not fully protect users until the updated version actually runs, so checking the About Google Chrome page remains the quickest way to confirm the fix.
FAQ
The latest Chrome Stable desktop update fixes 27 security vulnerabilities, including two critical use-after-free flaws tracked as CVE-2026-15112 and CVE-2026-15129.
Google lists the fixed desktop versions as 150.0.7871.114/.115 for Windows and macOS, and 150.0.7871.114 for Linux.
Yes. Google rated both vulnerabilities as critical. CVE-2026-15112 affects Ozone, while CVE-2026-15129 affects Views.
Google did not state in the release notes that any of the 27 vulnerabilities were being exploited in the wild at the time of publication.
Open Chrome, select the three-dot menu, go to Help, choose About Google Chrome, wait for Chrome to check for updates, and then select Relaunch if an update is available.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages