Chrome 150 Update Fixes 15 Security Flaws, Including Two Critical Ozone Bugs


Google has released a Chrome 150 security update that fixes 15 vulnerabilities, including two critical use-after-free flaws that could expose affected computers to remote code execution.

The Chrome Stable Channel update moves Windows and macOS installations to version 150.0.7871.124 or 150.0.7871.125. Linux users should receive version 150.0.7871.124.

Google started rolling out the update on July 14, 2026. The company said it could take several days or weeks to reach every desktop device, but users can manually check for it immediately.

Two critical Chrome flaws affect Ozone

The most serious vulnerabilities are CVE-2026-15764 and CVE-2026-15765. Google classified both as critical use-after-free bugs in Ozone, Chromeโ€™s platform abstraction layer for graphics, windows, input, and display functions.

A use-after-free vulnerability occurs when software continues using a memory location after releasing it. An attacker may manipulate the freed memory to corrupt the browser process and potentially execute unintended code.

The National Vulnerability Database entry for CVE-2026-15764 says an attacker could trigger heap corruption through a crafted HTML page. The attack requires convincing a user to perform specific interface gestures.

CVESeverityVulnerabilityComponent
CVE-2026-15764CriticalUse after freeOzone
CVE-2026-15765CriticalUse after freeOzone
CVE-2026-15766HighUninitialized useSkia
CVE-2026-15767HighHeap buffer overflowlibyuv
CVE-2026-15768HighInsufficient policy enforcementHTML-in-Canvas
CVE-2026-15769HighInsufficient validation of untrusted inputLinux Toolkit Theming
CVE-2026-15770HighUninitialized useV8
CVE-2026-15771HighInsufficient validation of untrusted inputMedia
CVE-2026-15772HighUse after freeGPU
CVE-2026-15773HighUse after freeCore
CVE-2026-15774HighUse after freeSkia
CVE-2026-15775HighInsufficient policy enforcementV8
CVE-2026-15776HighType confusionV8
CVE-2026-15777HighUse after freeUI
CVE-2026-15778MediumInsufficient validation of untrusted inputNavigation

No active attacks have been reported

Googleโ€™s release announcement does not state that attackers have exploited either critical flaw in the wild. The Center for Internet Security advisory also says there are currently no reports of active exploitation.

This distinction means the vulnerabilities should not be described as zero-days under active attack. However, their critical severity and potential impact make prompt installation important.

Google has restricted access to detailed bug reports until most users receive the fixes. This policy reduces the amount of technical information available to attackers while vulnerable Chrome installations remain online.

High-severity flaws affect V8, Skia, and Chromeโ€™s GPU code

The update also resolves 12 high-severity vulnerabilities across major browser components. Several involve memory corruption, including an uninitialized-use bug in Skia and a heap buffer overflow in libyuv.

Skia handles much of Chromeโ€™s two-dimensional graphics rendering. Libyuv provides image and video format conversion functions. Memory errors in these components can become dangerous when a browser processes attacker-controlled visual or media content.

Google also fixed three high-severity vulnerabilities in V8, Chromeโ€™s JavaScript and WebAssembly engine:

  • CVE-2026-15770, an uninitialized-use vulnerability
  • CVE-2026-15775, an insufficient policy enforcement flaw
  • CVE-2026-15776, a type confusion vulnerability

More use-after-free bugs were found across Chrome

Four additional high-severity use-after-free vulnerabilities affect Chromeโ€™s GPU, Core, Skia, and user interface components. They are tracked as CVE-2026-15772, CVE-2026-15773, CVE-2026-15774, and CVE-2026-15777.

The release also fixes validation and policy enforcement problems in HTML-in-Canvas, Linux Toolkit Theming, Media, and Navigation. Google rated the Navigation vulnerability as medium severity and the others as high.

The official Chrome release notes credit Googleโ€™s internal security teams for most of the discoveries. Microsoft researcher xinchaotian reported the Core use-after-free flaw, while Salvatore Gulizia, also known as Serotav, reported the V8 type confusion vulnerability.

ReporterReported vulnerabilityDate reported
GoogleCVE-2026-15764 and CVE-2026-15765May 27 and May 29, 2026
xinchaotian of MicrosoftCVE-2026-15773June 25, 2026
Salvatore GuliziaCVE-2026-15776July 8, 2026

What an attacker could gain from the Chrome flaws

The precise impact depends on the vulnerability, the operating system, Chromeโ€™s sandbox, and the privileges assigned to the affected user account. The most severe bugs could allow arbitrary code to run with the logged-in userโ€™s permissions.

According to the CIS security assessment, a successful attacker could potentially install programs or view, change, and delete data. Accounts with administrative privileges would face greater potential impact than standard user accounts.

Browser sandboxing creates an additional security boundary, so a complete system compromise may require another vulnerability or sandbox escape. Users should still treat the update as urgent because browsers regularly process untrusted content from websites, advertisements, images, and videos.

How to update Google Chrome

Chrome normally installs updates automatically in the background. Users must relaunch the browser before the new version fully replaces the vulnerable build.

To manually check for the Chrome 150 security update:

  1. Open Google Chrome.
  2. Select the three-dot menu in the upper-right corner.
  3. Open Help and select About Google Chrome.
  4. Wait while Chrome checks for and downloads the update.
  5. Select Relaunch when prompted.

Users can also enter chrome://settings/help in the address bar to open the update page directly. After restarting, the page should display the installed version.

Organizations should verify managed Chrome installations

IT administrators should use their endpoint management or browser management tools to identify systems that have not received the update. Devices that remain open for long periods without restarting may download the update but continue running an older, vulnerable browser process.

Administrators should confirm that Windows and macOS endpoints run Chrome 150.0.7871.124/.125 or a later version. Linux systems should run 150.0.7871.124 or later, following the versions listed in Googleโ€™s update announcement.

The NVD record currently describes CVE-2026-15764 as affecting Chrome on Linux before version 150.0.7871.125, while Googleโ€™s Linux release announcement lists 150.0.7871.124. Administrators should install the newest build offered through their official package channel rather than stopping at a specific minimum version.

  • Force a Chrome restart after deployment
  • Check version compliance across managed endpoints
  • Prioritize devices used for email and unrestricted web browsing
  • Run browsers through standard user accounts instead of administrator accounts
  • Continue monitoring for revised exploitation information

FAQ

What vulnerabilities does the Chrome 150 update fix?

The update fixes 15 security vulnerabilities. These include two critical use-after-free bugs in Ozone, 12 high-severity flaws, and one medium-severity Navigation flaw.

Are the Chrome 150 vulnerabilities being actively exploited?

Google has not reported active exploitation of the 15 vulnerabilities fixed in this update. Security organizations also reported no known attacks at the time of publication.

What are CVE-2026-15764 and CVE-2026-15765?

They are critical use-after-free vulnerabilities in Chrome’s Ozone component. Crafted web content combined with specific user interface gestures could potentially trigger heap corruption.

Which Chrome version fixes the security flaws?

Google announced versions 150.0.7871.124 and 150.0.7871.125 for Windows and macOS, and version 150.0.7871.124 for Linux. Users should install the newest available version.

How can I update Google Chrome?

Open Chrome’s three-dot menu, select Help, and then choose About Google Chrome. Allow the update to download and relaunch the browser when prompted.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages