Google Chrome 150 Patches 382 Security Flaws, Including 15 Critical Bugs


Google has released Chrome 150 to the stable channel with fixes for 382 security vulnerabilities, including 15 critical bugs that affect major browser components such as Extensions, GPU, WebUSB, Chromoting, Bluetooth, Browser, Views, Ozone, and Fullscreen.

The update is rolling out for Windows, macOS, and Linux as Chrome 150.0.7871.46 for Linux and 150.0.7871.46/.47 for Windows and Mac, according to the official Chrome Releases notes published on June 30, 2026.

Users and administrators should install the update as soon as it becomes available. Google says access to some bug details may remain restricted until most users receive the fix, which reduces the chance that attackers can quickly build exploits from public details.

Chrome 150 Fixes 382 Security Issues

The Chrome 150 stable update is unusually large. Google lists 382 security fixes, with the most severe bugs rated critical and many others rated high, medium, or low severity.

The critical issues include use-after-free flaws, type confusion, and insufficient validation of untrusted input. These bug classes can create memory corruption or unsafe browser behavior when triggered by malicious web content or attacker-controlled data.

Google also released Chrome 150 for Android. The Chrome for Android update says Android releases include the same security fixes as the corresponding desktop releases unless Google notes an exception.

PlatformUpdated versionStatus
Windows150.0.7871.46/.47Rolling out over the coming days and weeks
macOS150.0.7871.46/.47Rolling out over the coming days and weeks
Linux150.0.7871.46Rolling out over the coming days and weeks
Android150.0.7871.63Rolling out through Google Play

The 15 Critical Chrome Vulnerabilities

The 15 critical vulnerabilities are tracked as CVE-2026-13774 through CVE-2026-13788. Most are use-after-free flaws, a common memory-safety issue where software keeps using memory after it has already been freed.

Use-after-free bugs can become dangerous in browsers because attackers may use carefully crafted pages, extension content, device interactions, or rendering paths to corrupt memory and influence browser execution.

Google’s stable channel update lists the critical flaws across Extensions, GPU, Dawn, iOSWeb, WebUSB, Chromoting, ANGLE, Skia, Browser, Views, Bluetooth, Ozone, and Fullscreen.

CVEComponentBug typeSeverity
CVE-2026-13774ExtensionsUse after freeCritical
CVE-2026-13775GPUUse after freeCritical
CVE-2026-13776DawnType confusionCritical
CVE-2026-13777iOSWebInsufficient validation of untrusted inputCritical
CVE-2026-13778WebUSBUse after freeCritical
CVE-2026-13779ChromotingUse after freeCritical
CVE-2026-13780ANGLEInsufficient validation of untrusted inputCritical
CVE-2026-13781SkiaInsufficient validation of untrusted inputCritical
CVE-2026-13782BrowserUse after freeCritical
CVE-2026-13783ViewsUse after freeCritical
CVE-2026-13784ViewsUse after freeCritical
CVE-2026-13785BluetoothUse after freeCritical
CVE-2026-13786OzoneUse after freeCritical
CVE-2026-13787ChromotingUse after freeCritical
CVE-2026-13788FullscreenUse after freeCritical

Why These Chrome Bugs Matter

Browser vulnerabilities matter because the browser sits between users and untrusted content all day. A malicious page, file, extension, or web interaction can reach complex code paths in graphics, rendering, networking, permissions, and device APIs.

Several of the critical flaws affect high-risk areas. GPU, Dawn, ANGLE, and Skia all sit close to graphics and rendering. WebUSB and Bluetooth involve device-related surfaces. Extensions and Chromoting can matter heavily in enterprise environments.

Google’s Chromium Security page explains that the project works on secure architecture, bug fixing, hardening, and vulnerability coordination across the Chromium platform.

  • Use-after-free flaws can cause memory corruption.
  • Type confusion can make software treat one kind of object as another.
  • Input validation flaws can let untrusted data reach unsafe code paths.
  • Graphics and rendering bugs can be triggered by web content.
  • Extension-related bugs can affect users and organizations with large extension fleets.
  • Remote access components such as Chromoting deserve extra review in managed environments.

High-Severity Bugs Expand The Risk Surface

The 15 critical bugs are the headline, but Chrome 150 also fixes many high-severity vulnerabilities. These include issues in GPU, Downloads, SVG, WebAppInstalls, Chrome for iOS, Chromecast, QUIC, Updater, WebRTC, Media, PDF, Network, Passwords, and other components.

High-severity Chrome bugs may not always lead directly to full compromise by themselves. However, attackers often chain several browser bugs together to improve reliability, escape restrictions, or bypass user-facing security checks.

That is why administrators should avoid patching only when a public exploit appears. Large browser updates reduce the number of building blocks attackers can combine in future exploit chains.

Component groupExamples in this updateSecurity concern
Rendering and graphicsGPU, Skia, ANGLE, Dawn, SVGMemory corruption through crafted web content
Browser featuresFullscreen, Views, Browser, DownloadsUnsafe UI or browser-state behavior
Device and platform APIsWebUSB, Bluetooth, WebRTCAbuse of device-facing or communication features
Enterprise and remote accessExtensions, Chromoting, UpdaterFleet risk across managed devices
Mobile and castingChrome for iOS, ChromecastPlatform-specific exposure outside desktop

No Public Exploitation Notice In This Chrome 150 Bulletin

Google’s June 30 Chrome 150 bulletin does not state that any of the 15 critical vulnerabilities are being exploited in the wild. That is an important difference from emergency Chrome updates where Google explicitly warns about active exploitation.

Even without a public exploitation warning, the update deserves urgency. Browser exploit details often become more useful to attackers after patches ship and researchers compare fixed and vulnerable code.

Chrome’s disclosure practice also limits access to bug details until enough users receive the update. That delay gives users and enterprises time to patch before technical information becomes easier to obtain.

How Google Found Many Of The Bugs

Google credits internal teams and outside researchers for the Chrome 150 fixes. The release notes also say many Chrome security bugs are found with tools such as AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, and AFL.

These tools help find memory errors, undefined behavior, bad assumptions, and parser bugs before attackers can use them. They are especially important in a browser because Chrome handles many file formats, web APIs, scripts, graphics paths, and device interfaces.

The Chromium security team also manages vulnerability reporting and responsible disclosure for Chrome and Chromium. That process helps keep unfixed bug details private while fixes move through the release pipeline.

What Users Should Do Now

Most Chrome users receive updates automatically, but the patch only protects the browser after the update installs and Chrome restarts. Users who keep browser windows open for long periods should check manually.

Google’s Chrome update help says desktop users can open Chrome, go to the three-dot menu, choose Help, open About Google Chrome, and relaunch when prompted.

Android users should install the update through Google Play. Since the Android stable update carries the same desktop security fixes unless otherwise noted, mobile users should not ignore the release.

  • Open Chrome and go to Help > About Google Chrome.
  • Let Chrome check for the latest update.
  • Relaunch the browser when prompted.
  • On Android, update Chrome through Google Play.
  • On Linux, update Chrome through the system package manager.
  • Restart managed browsers after enterprise deployment completes.

Enterprise Admins Should Prioritize Managed Rollout

Enterprises should test and roll out Chrome 150 quickly across managed Windows, macOS, Linux, Android, and iOS fleets where applicable. The update touches components that many organizations depend on, including extensions, remote desktop, device APIs, and graphics features.

Organizations using many browser extensions should review extension governance at the same time. Critical flaws in the Extensions component make it important to restrict unnecessary extensions and keep policies tight.

Chrome’s Enterprise and Education release notes can help administrators track broader Chrome changes alongside security updates, especially in environments with staged rollouts and policy testing.

Enterprise areaWhy it matters after this updateRecommended action
ExtensionsCritical extension-related flaw fixedReview allowlists and remove unused extensions
Remote desktopChromoting had critical use-after-free fixesReview remote access policy and monitor usage
Device APIsWebUSB and Bluetooth bugs were fixedRestrict device permissions where possible
Graphics stackGPU, Dawn, ANGLE, and Skia received critical fixesDeploy the update broadly, not only to high-risk users
Update complianceLarge patch set increases risk from stale browsersTrack version reporting and force relaunch where needed

Chrome 151 Confusion Explained

The security update is for Chrome 150, not Chrome 151. On July 1, Google also announced Chrome Beta 151 for iOS, but that beta announcement is separate from the June 30 stable security release.

This distinction matters for administrators. Stable-channel users should look for the Chrome 150 builds listed by Google, while beta users may see different version numbers that do not represent the same production rollout.

In managed environments, admins should confirm the installed browser version through their management console or endpoint inventory. A browser that has downloaded the update but has not relaunched may still run the older vulnerable process.

Bottom Line

Chrome 150 is a major security update. It fixes 382 vulnerabilities, including 15 critical flaws across core browser components that attackers could use as part of code execution or browser compromise chains.

Google has not flagged active exploitation for the critical flaws in this specific release, but the size and severity of the patch set make fast deployment important. Users should update and relaunch Chrome, while enterprises should verify fleet-wide compliance.

Google’s update instructions remain the simplest check for individuals, while enterprise teams should follow their normal testing and deployment channels using the enterprise release notes as a companion reference.

FAQ

Is this Chrome update for Chrome 150 or Chrome 151?

It is a Chrome 150 stable-channel update. Google listed Chrome 150.0.7871.46 for Linux and 150.0.7871.46/.47 for Windows and Mac. Chrome 151 was in beta for iOS on July 1, 2026.

How many vulnerabilities did Google fix in Chrome 150?

Google fixed 382 security issues in the Chrome 150 stable update, including 15 vulnerabilities rated critical.

Which Chrome components had critical vulnerabilities?

The critical vulnerabilities affected Extensions, GPU, Dawn, iOSWeb, WebUSB, Chromoting, ANGLE, Skia, Browser, Views, Bluetooth, Ozone, and Fullscreen.

Did Google say these Chrome 150 flaws are being exploited in the wild?

Google’s June 30 Chrome 150 bulletin did not state that any of the listed critical flaws are being exploited in the wild. Users should still update quickly because browser bugs can become easier to exploit after patches are released.

How can users install the Chrome security update?

Desktop users can open Chrome, go to Help, select About Google Chrome, let the browser check for updates, and relaunch when prompted. Android users should update Chrome through Google Play.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages