Chrome Update Patches 27 Vulnerabilities, Two Critical Code Execution Flaws
Key Takeaways Google has released an urgent update for its Chrome browser, addressing 27 security vulnerabilities. Two critical remote code execution (RCE) flaws, CVE-2026-15112 and CVE-2026-15129,...
Key Takeaways
- Google has released an urgent update for its Chrome browser, addressing 27 security vulnerabilities.
- Two critical remote code execution (RCE) flaws, CVE-2026-15112 and CVE-2026-15129, pose significant risks.
- The vulnerabilities affect multiple Chrome components across Windows, macOS, and Linux platforms.
- Users are strongly advised to update to Chrome version 150.0.7871.114/.115 immediately to patch these severe issues.
Chrome Update Addresses 27 Vulnerabilities, Including Critical Remote Code Execution Flaws
Google has rolled out a crucial Stable channel update for its Chrome browser, addressing a total of 27 security vulnerabilities. Among these are two critical flaws that could enable remote code execution (RCE) on affected systems, posing a significant threat to user security.
Table Of Content
The update, which is currently being deployed globally, elevates Chrome to version 150.0.7871.114/.115 for Windows and macOS users, and to version 150.0.7871.114 for Linux users.
Critical Use-After-Free Vulnerabilities Identified
The most severe issues patched in this release are identified as CVE-2026-15112 and CVE-2026-15129. Both are classified as critical use-after-free vulnerabilities, a dangerous class of memory corruption bugs.
CVE-2026-15112 specifically targets Chrome’s Ozone platform abstraction layer, while CVE-2026-15129 affects the Views UI framework. Use-after-free vulnerabilities arise when a program attempts to access memory that has already been deallocated. This can lead to memory corruption, which attackers can manipulate to execute arbitrary code on the victim’s machine.
In practical attack scenarios, a successful exploit could allow a remote attacker to compromise a user’s system simply by tricking them into visiting a specially crafted malicious webpage.
High-Severity Flaws Across Core Components
Beyond the critical RCE vulnerabilities, Google’s update also addresses numerous high-severity vulnerabilities impacting various Chrome components. These include a range of memory-safety issues, such as additional use-after-free flaws found in Autofill, WebRTC, Core, Input, Payments, and Forms. Furthermore, uninitialized memory usage vulnerabilities were discovered in the V8 JavaScript engine and ANGLE graphics abstraction layer.
Several other vulnerabilities stem from insufficient validation of untrusted input within components like WebAppInstalls and Codecs. Such flaws could be exploited to trigger unexpected browser behavior or to bypass existing security controls, potentially leading to further compromise.
Notably, CVE-2026-15132 points to an uninitialized use vulnerability in the V8 JavaScript engine. As a critical component responsible for executing web scripts, V8 is a frequent target for attackers due to its complexity and direct interaction with web content, making vulnerabilities within it particularly valuable for exploit development.
Another significant issue, CVE-2026-15108, involves an integer overflow in the Extensions API. This flaw could be leveraged by malicious browser extensions or crafted inputs to undermine browser integrity.
Google has also fixed multiple issues related to logic and policy enforcement, including deficiencies in password management, navigation handling, and DOM validation. While these weaknesses may not directly lead to code execution, they can be exploited to weaken browser security boundaries and facilitate more complex attacks.
Consistent with standard security practices for Chrome releases, detailed technical information for many of these vulnerabilities remains restricted. This measure is crucial to prevent threat actors from actively exploiting the flaws before a sufficient number of users have applied the necessary updates.
Overview of Key Patched Vulnerabilities:
| CVE ID | Vulnerability Type | Affected Component | Severity |
|---|---|---|---|
| CVE-2026-15112 | Use-after-free | Ozone | Critical |
| CVE-2026-15129 | Use-after-free | Views | Critical |
| CVE-2026-15132 | Uninitialized use | V8 | High |
| CVE-2026-15133 | Use-after-free | InterestGroups | High |
| CVE-2026-15108 | Integer overflow | Extensions API | High |
| CVE-2026-15109 | Uninitialized use | ANGLE | High |
| CVE-2026-15110 | Use-after-free | Extensions | High |
| CVE-2026-15111 | Use-after-free | Views | High |
| CVE-2026-15113 | Use-after-free | Autofill | High |
| CVE-2026-15114 | Out-of-bounds read/write | Codecs | High |
| CVE-2026-15115 | Insufficient input validation | WebAppInstalls | High |
| CVE-2026-15116 | Use-after-free | Actor | High |
| CVE-2026-15117 | Use-after-free | Payments | High |
| CVE-2026-15118 | Use-after-free | Input | High |
| CVE-2026-15119 | Inappropriate implementation | GetUserMedia | High |
| CVE-2026-15120 | Use-after-free | Core | High |
| CVE-2026-15121 | Use-after-free | WebRTC | High |
| CVE-2026-15122 | Insufficient input validation | Codecs | High |
| CVE-2026-15123 | Insufficient data validation | DOM | High |
| CVE-2026-15124 | Insufficient policy enforcement | Passwords | High |
| CVE-2026-15125 | Inappropriate implementation | Forms | High |
| CVE-2026-15126 | Use-after-free | Forms | High |
| CVE-2026-15127 | Inappropriate implementation | WebGL | High |
| CVE-2026-15128 | Inappropriate implementation | Forms | High |
| CVE-2026-15130 | Insufficient policy enforcement | Navigation | High |
| CVE-2026-15107 | Use-after-free | IndexedDB | Medium |
| CVE-2026-15131 | Insufficient data validation | Navigation | Medium |
Google confirmed that many of these bugs were identified internally through the use of advanced fuzzing and memory analysis tools, including AddressSanitizer, libFuzzer, and Control Flow Integrity mechanisms. This highlights the critical role of automated security testing in maintaining the integrity of modern browser ecosystems.
While there is currently no evidence to suggest that these vulnerabilities are being actively exploited in the wild, the presence of multiple memory corruption issues significantly elevates the risk of future weaponization. Threat actors frequently combine such flaws with sandbox escape techniques to achieve full system compromise.
What You Should Do
- Update Chrome Immediately: Navigate to your Chrome browser’s settings, then to “About Chrome,” and allow it to check for and install updates. Restart the browser as prompted.
- Enable Automatic Updates: Ensure your browser is configured to automatically apply updates to receive critical patches without delay.
- Be Wary of Malicious Links: Avoid clicking on suspicious links or visiting unfamiliar websites, as these could be used to exploit unpatched vulnerabilities.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.