TL;DR
Google pushed Chrome 150.0.7871.128/.129 to the Stable channel on July 16, 2026. The release fixes seven flaws, and three of them carry a Critical rating. Google reports no exploitation in the wild.
Why it matters
Three Critical bugs in a single round stands out. Most Chrome updates ship with one Critical or none at all. Each of these three sits in a component that untrusted web content can reach.
The Network flaw also moved fast. Google logged CVE-2026-15901 on July 10 and shipped the fix six days later. That turnaround suggests the team saw real risk.
One credit goes outside Google. OpenAI Codex Security reported the V8 bug on July 6, and the bounty still reads TBD. Google found the other six itself.
How the attacks work
Six of the seven bugs are use-after-free issues. Code holds a pointer to memory that has already been released. An attacker who controls what fills that memory can then steer execution.
The seventh differs. CVE-2026-15903 is an out-of-bounds read and write in V8, Chrome’s JavaScript engine. Google restricts bug details until most users update, so deeper mechanism detail stays unavailable by design.
The seven CVEs
- Critical: CVE-2026-15899 (CameraCapture), CVE-2026-15900 (GPU), CVE-2026-15901 (Network)
- High: CVE-2026-15902 (Cast), CVE-2026-15903 (V8), CVE-2026-15904 (Ozone), CVE-2026-15905 (Aura)
Exploitation status
Google’s advisory reports no in-the-wild exploitation. No public proof-of-concept exists either. Google credits internal discovery for six of the seven bugs.
Affected versions
Any desktop Chrome build older than 150.0.7871.128 needs this Chrome security update. Chromium-based browsers inherit the same code, so Edge, Brave, Opera, and Vivaldi users should watch for their own releases.
Patch and mitigation steps
Move to 150.0.7871.128/.129 on Windows and Mac. Linux users need 150.0.7871.128. Google’s Chrome Releases advisory notes the rollout arrives over days or weeks, so waiting leaves a gap.
Force the check instead. Open Chrome’s About page, let it pull the build, then relaunch. The relaunch matters, because the Chrome security update only takes effect after a restart.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.