Chrome 150 Update Fixes 15 Security Flaws, Including Two Critical Ozone Bugs
Google has released a Chrome 150 security update that fixes 15 vulnerabilities, including two critical use-after-free flaws that could expose affected computers to remote code execution.
The Chrome Stable Channel update moves Windows and macOS installations to version 150.0.7871.124 or 150.0.7871.125. Linux users should receive version 150.0.7871.124.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
Google started rolling out the update on July 14, 2026. The company said it could take several days or weeks to reach every desktop device, but users can manually check for it immediately.
Two critical Chrome flaws affect Ozone
The most serious vulnerabilities are CVE-2026-15764 and CVE-2026-15765. Google classified both as critical use-after-free bugs in Ozone, Chromeโs platform abstraction layer for graphics, windows, input, and display functions.
A use-after-free vulnerability occurs when software continues using a memory location after releasing it. An attacker may manipulate the freed memory to corrupt the browser process and potentially execute unintended code.
The National Vulnerability Database entry for CVE-2026-15764 says an attacker could trigger heap corruption through a crafted HTML page. The attack requires convincing a user to perform specific interface gestures.
| CVE | Severity | Vulnerability | Component |
|---|---|---|---|
| CVE-2026-15764 | Critical | Use after free | Ozone |
| CVE-2026-15765 | Critical | Use after free | Ozone |
| CVE-2026-15766 | High | Uninitialized use | Skia |
| CVE-2026-15767 | High | Heap buffer overflow | libyuv |
| CVE-2026-15768 | High | Insufficient policy enforcement | HTML-in-Canvas |
| CVE-2026-15769 | High | Insufficient validation of untrusted input | Linux Toolkit Theming |
| CVE-2026-15770 | High | Uninitialized use | V8 |
| CVE-2026-15771 | High | Insufficient validation of untrusted input | Media |
| CVE-2026-15772 | High | Use after free | GPU |
| CVE-2026-15773 | High | Use after free | Core |
| CVE-2026-15774 | High | Use after free | Skia |
| CVE-2026-15775 | High | Insufficient policy enforcement | V8 |
| CVE-2026-15776 | High | Type confusion | V8 |
| CVE-2026-15777 | High | Use after free | UI |
| CVE-2026-15778 | Medium | Insufficient validation of untrusted input | Navigation |
No active attacks have been reported
Googleโs release announcement does not state that attackers have exploited either critical flaw in the wild. The Center for Internet Security advisory also says there are currently no reports of active exploitation.
This distinction means the vulnerabilities should not be described as zero-days under active attack. However, their critical severity and potential impact make prompt installation important.
Google has restricted access to detailed bug reports until most users receive the fixes. This policy reduces the amount of technical information available to attackers while vulnerable Chrome installations remain online.
High-severity flaws affect V8, Skia, and Chromeโs GPU code
The update also resolves 12 high-severity vulnerabilities across major browser components. Several involve memory corruption, including an uninitialized-use bug in Skia and a heap buffer overflow in libyuv.
Skia handles much of Chromeโs two-dimensional graphics rendering. Libyuv provides image and video format conversion functions. Memory errors in these components can become dangerous when a browser processes attacker-controlled visual or media content.
Google also fixed three high-severity vulnerabilities in V8, Chromeโs JavaScript and WebAssembly engine:
- CVE-2026-15770, an uninitialized-use vulnerability
- CVE-2026-15775, an insufficient policy enforcement flaw
- CVE-2026-15776, a type confusion vulnerability
More use-after-free bugs were found across Chrome
Four additional high-severity use-after-free vulnerabilities affect Chromeโs GPU, Core, Skia, and user interface components. They are tracked as CVE-2026-15772, CVE-2026-15773, CVE-2026-15774, and CVE-2026-15777.
The release also fixes validation and policy enforcement problems in HTML-in-Canvas, Linux Toolkit Theming, Media, and Navigation. Google rated the Navigation vulnerability as medium severity and the others as high.
The official Chrome release notes credit Googleโs internal security teams for most of the discoveries. Microsoft researcher xinchaotian reported the Core use-after-free flaw, while Salvatore Gulizia, also known as Serotav, reported the V8 type confusion vulnerability.
| Reporter | Reported vulnerability | Date reported |
|---|---|---|
| CVE-2026-15764 and CVE-2026-15765 | May 27 and May 29, 2026 | |
| xinchaotian of Microsoft | CVE-2026-15773 | June 25, 2026 |
| Salvatore Gulizia | CVE-2026-15776 | July 8, 2026 |
What an attacker could gain from the Chrome flaws
The precise impact depends on the vulnerability, the operating system, Chromeโs sandbox, and the privileges assigned to the affected user account. The most severe bugs could allow arbitrary code to run with the logged-in userโs permissions.
According to the CIS security assessment, a successful attacker could potentially install programs or view, change, and delete data. Accounts with administrative privileges would face greater potential impact than standard user accounts.
Browser sandboxing creates an additional security boundary, so a complete system compromise may require another vulnerability or sandbox escape. Users should still treat the update as urgent because browsers regularly process untrusted content from websites, advertisements, images, and videos.
How to update Google Chrome
Chrome normally installs updates automatically in the background. Users must relaunch the browser before the new version fully replaces the vulnerable build.
To manually check for the Chrome 150 security update:
- Open Google Chrome.
- Select the three-dot menu in the upper-right corner.
- Open Help and select About Google Chrome.
- Wait while Chrome checks for and downloads the update.
- Select Relaunch when prompted.
Users can also enter chrome://settings/help in the address bar to open the update page directly. After restarting, the page should display the installed version.
Organizations should verify managed Chrome installations
IT administrators should use their endpoint management or browser management tools to identify systems that have not received the update. Devices that remain open for long periods without restarting may download the update but continue running an older, vulnerable browser process.
Administrators should confirm that Windows and macOS endpoints run Chrome 150.0.7871.124/.125 or a later version. Linux systems should run 150.0.7871.124 or later, following the versions listed in Googleโs update announcement.
The NVD record currently describes CVE-2026-15764 as affecting Chrome on Linux before version 150.0.7871.125, while Googleโs Linux release announcement lists 150.0.7871.124. Administrators should install the newest build offered through their official package channel rather than stopping at a specific minimum version.
- Force a Chrome restart after deployment
- Check version compliance across managed endpoints
- Prioritize devices used for email and unrestricted web browsing
- Run browsers through standard user accounts instead of administrator accounts
- Continue monitoring for revised exploitation information
FAQ
The update fixes 15 security vulnerabilities. These include two critical use-after-free bugs in Ozone, 12 high-severity flaws, and one medium-severity Navigation flaw.
Google has not reported active exploitation of the 15 vulnerabilities fixed in this update. Security organizations also reported no known attacks at the time of publication.
They are critical use-after-free vulnerabilities in Chrome’s Ozone component. Crafted web content combined with specific user interface gestures could potentially trigger heap corruption.
Google announced versions 150.0.7871.124 and 150.0.7871.125 for Windows and macOS, and version 150.0.7871.124 for Linux. Users should install the newest available version.
Open Chrome’s three-dot menu, select Help, and then choose About Google Chrome. Allow the update to download and relaunch the browser when prompted.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages