Chrome Update Patches 382 Vulnerabilities, Including 15 Critical Flaws
Key Takeaways Google has released Chrome version 151 (150.0.7871.46), addressing a total of 382 security vulnerabilities. The update includes patches for 15 critical flaws, many of which are...
Key Takeaways
- Google has released Chrome version 151 (150.0.7871.46), addressing a total of 382 security vulnerabilities.
- The update includes patches for 15 critical flaws, many of which are “use after free” vulnerabilities.
- These critical vulnerabilities could enable remote code execution and full browser compromise.
- The patch is available for Windows, macOS, Linux, and Chrome for iOS users.
Extensive Chrome Update Addresses 382 Vulnerabilities, Including 15 Critical Flaws
Google has rolled out a significant security update for its Chrome web browser, version 151, which integrates patches for an extensive 382 security vulnerabilities. Among these, 15 are classified as critical, posing a substantial risk for remote code execution and complete browser compromise if not addressed promptly.
Table Of Content
This critical update is being deployed across Windows, macOS, Linux, and Chrome for iOS platforms. The fixes span nearly every foundational component within the browser’s architecture, reinforcing its overall security posture.
Details of the Patch Release
According to official release notes from Google, the stable channel update to Chrome 151, specifically desktop build 150.0.7871.46, incorporates 382 distinct security fixes. These vulnerabilities were identified and reported through Google’s Chrome Vulnerability Rewards Program.
In line with Google’s standard coordinated disclosure protocols, specific details regarding these bugs will remain partially undisclosed until the majority of users have successfully updated their browsers. This strategy aims to prevent threat actors from exploiting vulnerabilities in unpatched systems.
The scope of the patched vulnerabilities is broad, encompassing critical remote code execution issues alongside lower-severity flaws related to user interface (UI) and policy enforcement. These issues affect various subsystems, including web rendering, graphics, casting, networking, and components specific to the iOS version of Chrome.
Many of these security defects were discovered internally by Google’s engineering teams. They leveraged advanced memory-safety analysis tools such as AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, and various fuzzing frameworks to pinpoint these vulnerabilities.
Critical Vulnerabilities Addressed
Google has designated 15 of the resolved vulnerabilities as critical. A majority of these are “use after free” issues found in high-risk components like Extensions, GPU, WebUSB, Browser, Views, Bluetooth, Chromoting, and Ozone.
These memory corruption flaws are particularly dangerous as they can often be chained together. This allows attackers to achieve arbitrary code execution within the browser or even the underlying operating system context, typically when a user navigates to a malicious webpage or interacts with attacker-controlled content.
The critical vulnerability set also includes instances of type confusion and insufficient validation of untrusted input. These were identified in rendering and graphics subsystems such as Dawn, ANGLE, and Skia, as well as within iOSWeb’s input handling mechanisms.
Exploitation of these specific bugs could enable attackers to bypass sandbox protections, trigger heap corruption, or hijack control flow. Such actions significantly elevate the risk of “drive-by compromise” scenarios, where a user’s system is compromised simply by visiting a malicious website.
Beyond the 15 critical issues, Google fixed a large number of high‑severity vulnerabilities impacting areas such as Chromecast, QUIC, Updater, SVG, Chrome for iOS, Safe Browsing, Accessibility, Canvas, File Input, and various enterprise-focused functionalities.
Many of these high-severity flaws also involve use-after-free, heap buffer overflow, integer overflow, or insufficient policy enforcement. These types of vulnerabilities can facilitate information disclosure, privilege escalation, or sandbox escapes within realistic attack chains.
The update also addresses hundreds of medium-severity vulnerabilities affecting Web Authentication, WebHID, WebXR, DevTools, Autofill, Passwords, PDF, Codecs, Fonts, and numerous UI components. While individually less severe, these bugs collectively expand Chrome’s potential attack surface and can be combined with other vulnerabilities to enhance exploit reliability or circumvent security prompts and indicators.
Furthermore, Google has included dozens of low-severity fixes. These focus on issues such as incorrect security UI displays, policy bypasses, and insufficient validation in components like SplitView, WebXR, Network, WebNN, Chrome for iOS, TabStrip, Storage, GamepadAPI, History Embeddings, and newer AI- and credential-related features.
These lower-severity issues typically contribute to user deception, inconsistent security states, or subtle sandbox and permission bypasses, rather than direct code execution. However, even low-severity weaknesses are crucial for overall browser hardening, particularly against sophisticated threat actors who often rely on multi-bug exploitation chains and social engineering tactics.
Google acknowledges and credits numerous external researchers and partners, alongside its internal teams, for reporting these issues during the Chrome 151 development cycle.
| CVE ID | Component | Root cause / bug class | Reported by | Report date |
|---|---|---|---|---|
| CVE-2026-13774 | Extensions | Use after free in Extensions | 2026-04-26 | |
| CVE-2026-13775 | GPU | Use after free in GPU | 2026-05-10 | |
| CVE-2026-13776 | Dawn | Type confusion in Dawn | 2026-05-14 | |
| CVE-2026-13777 | iOSWeb | Insufficient validation of untrusted input in iOSWeb | 2026-05-14 | |
| CVE-2026-13778 | WebUSB | Use after free in WebUSB | 2026-05-14 | |
| CVE-2026-13779 | Chromoting | Use after free in Chromoting | 2026-05-14 | |
| CVE-2026-13780 | ANGLE | Insufficient validation of untrusted input in ANGLE | 2026-05-19 | |
| CVE-2026-13781 | Skia | Insufficient validation of untrusted input in Skia | 2026-05-25 | |
| CVE-2026-13782 | Browser | Use after free in Browser | 2026-05-26 | |
| CVE-2026-13783 | Views | Use after free in Views | 2026-05-27 | |
| CVE-2026-13784 | Views | Use after free in Views | 2026-05-27 | |
| CVE-2026-13785 | Bluetooth | Use after free in Bluetooth | 2026-05-27 | |
| CVE-2026-13786 | Ozone | Use after free in Ozone | 2026-05-29 | |
| CVE-2026-13787 | Chromoting | Use after free in Chromoting | 2026-06-11 | |
| CVE-2026-13788 | Fullscreen | Use after free in Fullscreen | 2026-06-12 |
What You Should Do
- Update Immediately: All users should update to the latest Chrome 151 stable release as soon as possible to mitigate the risk of code execution attacks.
- Enable Automatic Updates: Ensure automatic updates are enabled for Chrome to receive security patches promptly.
- Enterprise Deployment: For organizations, prioritize testing and rolling out Chrome 151 across all managed devices, particularly focusing on environments that heavily utilize extensions, remote desktop (Chromoting), WebUSB, WebXR, Chromecast, and Chrome for iOS.
- Review Security Baselines: Enterprises should review their browser security baselines, including extension governance, site isolation policies, Safe Browsing settings, and OS-level exploit mitigations, to ensure they complement the protections introduced in this update.
- Monitor Advisories: Stay informed by regularly monitoring Chrome’s official security advisory channels for future vulnerability batches and updates.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.