Chrome 150 Update Patches 15 Flaws, Two Critical Code Execution Vulnerabilities
Key Takeaways Google has released Chrome version 150, addressing 15 security vulnerabilities. Two critical use-after-free flaws (CVE-2026-15764, CVE-2026-15765) in Chrome’s Ozone component are...
Key Takeaways
- Google has released Chrome version 150, addressing 15 security vulnerabilities.
- Two critical use-after-free flaws (CVE-2026-15764, CVE-2026-15765) in Chrome’s Ozone component are among the most severe.
- These critical vulnerabilities could potentially allow for arbitrary code execution.
- The update also resolves numerous high-severity bugs across various browser components.
- Users are strongly advised to update their Chrome browsers immediately to protect against potential exploitation.
Chrome 150 Update Addresses Critical Code Execution Flaws
Google has initiated the rollout of Chrome version 150, a crucial stable channel update designed to bolster the browser’s security posture. This latest release, specifically version 150.0.7871.124/.125 for Windows and macOS, and 150.0.7871.124 for Linux, patches a total of 15 security vulnerabilities, including two critical memory safety issues.
Table Of Content
While the update’s deployment will occur incrementally over the coming days and weeks, Google urges both enterprise and individual users to apply the patch as soon as it becomes available to mitigate potential risks.
Critical Use-After-Free Vulnerabilities in Ozone
The most pressing concerns addressed in this update are two critical use-after-free vulnerabilities, identified as CVE-2026-15764 and CVE-2026-15765. Both flaws reside within Ozone, Chrome’s fundamental platform integration layer responsible for managing windowing, input, graphics, and display functions across supported operating systems.
A use-after-free vulnerability arises when a program attempts to access memory that has already been deallocated. This can be exploited by attackers to manipulate the freed memory, potentially leading to arbitrary code execution. In the context of a web browser, a malicious actor could craft specific web content or a website to trigger these vulnerabilities, compromising the user’s system.
Google has classified both Ozone vulnerabilities as critical, indicating their severe potential impact. Although detailed technical specifics of potential exploits have not been publicly disclosed, the severity rating suggests that these flaws could enable code execution under specific circumstances.
To minimize the risk of attackers developing and deploying exploits against unpatched systems, Google plans to withhold comprehensive bug information until a significant portion of the Chrome user base has successfully installed the necessary security fixes.
High-Severity Bugs Also Patched
Chrome 150 also fixes several high-severity bugs across various core browser components. Notable among these are CVE-2026-15766, an uninitialized-use vulnerability affecting Skia, Chrome’s graphics rendering engine, and CVE-2026-15767, a heap buffer overflow found in libyuv, a library critical for image and video format conversion.
Several other high-severity vulnerabilities impact V8, Chrome’s high-performance JavaScript and WebAssembly engine. These include CVE-2026-15770, an uninitialized memory use flaw, and CVE-2026-15775, which addresses an issue of insufficient policy enforcement.
Security researcher Salvatore Gulizia is credited with reporting CVE-2026-15776, a type confusion vulnerability in V8. This flaw can lead to memory corruption by enabling code to misinterpret an object’s type.
The update further resolves additional use-after-free vulnerabilities within the GPU, Core, Skia, and UI components. Furthermore, issues related to insufficient validation and policy enforcement have been addressed in HTML-in-Canvas, Linux Toolkit Theming, Media, and Navigation.
Google has acknowledged the contributions of its internal research teams, Microsoft researcher xinchaotian, and independent researcher Salvatore Gulizia for their efforts in identifying and reporting these vulnerabilities. Information regarding some reporters and associated reward amounts is currently listed as “TBD.”
What You Should Do
- Update Immediately: Individual users should update their Chrome browser without delay. Open Chrome, navigate to Settings, then “About Chrome,” and relaunch the browser once the update has downloaded.
- Verify Version: For organizations, ensure that all managed endpoints are running Chrome version 150.0.7871.124 or later on Linux, and versions 150.0.7871.124/.125 or later on Windows and macOS.
- Enable Automatic Updates: Confirm that automatic updates are enabled for Chrome across all devices to ensure timely application of future security patches.
- Stay Informed: Regularly monitor official Google Chrome release channels for further security advisories and updates.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.