TL;DR
Google has shipped a Chrome security update that raises the Stable channel to 150.0.7871.124/.125 on Windows and Mac, and 150.0.7871.124 on Linux. The release fixes 15 security flaws, including two critical use-after-free bugs in Ozone, CVE-2026-15764 and CVE-2026-15765. Google has not reported in-the-wild exploitation or public proof-of-concept code for any of these flaws.
Why It Matters
Chrome dominates the desktop browser market, so browser flaws reach a huge install base. Critical use-after-free bugs often serve as the entry point for sandbox escapes and code execution. For that reason, Google keeps bug details restricted until most users receive the fix. Attackers routinely diff Chromium patches, which shrinks the safe patching window.
How the Attacks Work
The two critical bugs corrupt memory through use-after-free conditions in Ozone, Chrome’s platform abstraction layer. Eleven high-severity flaws follow, spread across V8, Skia, GPU, Core, UI, Media, and libyuv. They include type confusion in V8 (CVE-2026-15776), a heap buffer overflow in libyuv (CVE-2026-15767), and several uninitialized-use and policy-enforcement issues. A medium-severity input validation flaw in Navigation rounds out the list.
- Total: 15 CVEs
- Severity: 1 Critical · 8 High · 6 Medium
- Actively exploited: None confirmed
- Highest severity: 9.6 (Critical · CVSSv3) — CVE-2026-15773
- Action: Apply the latest security updates now
Notable CVEs
| CVE | CVSS | Type | Fixed in | Status |
|---|---|---|---|---|
| CVE-2026-15773 | 9.6 | CWE-416 | 150.0.7871.125 | Not exploited |
| CVE-2026-15767 | 8.8 | CWE-122 | 150.0.7871.125 | Not exploited |
| CVE-2026-15776 | 8.8 | CWE-843 | 150.0.7871.125 | Not exploited |
| CVE-2026-15769 | 8.3 | CWE-20 | 150.0.7871.125 | Not exploited |
| CVE-2026-15772 | 8.3 | CWE-416 | 150.0.7871.125 | Not exploited |
| CVE-2026-15774 | 8.3 | CWE-416 | 150.0.7871.125 | Not exploited |
| CVE-2026-15764 | 7.5 | CWE-416 | 150.0.7871.125 | Not exploited |
| CVE-2026-15765 | 7.5 | CWE-416 | 150.0.7871.125 | Not exploited |
Affected Versions
All Chrome desktop builds before 150.0.7871.124 on Windows, Mac, and Linux carry these flaws. Chromium-based browsers, such as Edge, typically inherit the same fixes in later updates.
Patch and Mitigation Steps
Open Settings, then Help, then About Google Chrome to trigger the update, and relaunch the browser. Enterprises should push the Chrome security update through managed channels without delay.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.