Google has rolled out Chrome version 150.0.7871.124/.125 for Windows and macOS, and version 150.0.7871.124 for Linux users. This Stable Channel update addresses 15 security vulnerabilities, including two critical memory safety issues in Ozone.
The update will be released gradually and may take days or even weeks to reach every desktop device. Google advises both organizations and individual users to update Chrome as soon as the release becomes available.
The most serious vulnerabilities are tracked as CVE-2026-15764 and CVE-2026-15765. Both are use-after-free vulnerabilities in Ozone, Chrome’s platform integration layer responsible for windowing, input, graphics, and display-related functions on supported operating systems.
A use-after-free flaw occurs when software continues to access memory after it has been released. An attacker could potentially manipulate this memory to force the application to execute unintended code. In a browser scenario, an attacker could use a specially crafted website or web content to trigger this flaw.
CVESeverityVulnerabilityAffected componentCVE-2026-15764CriticalUse-after-freeOzoneCVE-2026-15765CriticalUse-after-freeOzoneCVE-2026-15766HighUninitialized useSkiaCVE-2026-15767HighHeap buffer overflowlibyuvCVE-2026-15768HighInsufficient policy enforcementHTML-in-CanvasCVE-2026-15769HighInsufficient validation of untrusted inputLinux Toolkit ThemingCVE-2026-15770HighUninitialized useV8CVE-2026-15771HighInsufficient validation of untrusted inputMediaCVE-2026-15772HighUse-after-freeGPUCVE-2026-15773HighUse-after-freeCoreCVE-2026-15774HighUse-after-freeSkiaCVE-2026-15775HighInsufficient policy enforcementV8CVE-2026-15776HighType confusionV8CVE-2026-15777HighUse-after-freeUICVE-2026-15778MediumInsufficient validation of untrusted inputNavigation
Google has rated both Ozone vulnerabilities as critical. While the company has not released detailed technical information about the exploits, their severity suggests they could lead to code execution under certain conditions.
Google plans to keep bug information restricted until most Chrome users have installed the necessary fixes to reduce the risk of attackers weaponizing the vulnerabilities against unpatched systems.
Chrome 150 also fixes several high-severity bugs across key browser components. These include CVE-2026-15766, an uninitialized-use flaw in Skia (Chrome’s graphics rendering library), and CVE-2026-15767, a heap buffer overflow in libyuv, a library used for image and video format conversion.
Other high-severity vulnerabilities affect V8, Chrome’s JavaScript and WebAssembly engine. CVE-2026-15770 pertains to uninitialized memory use in V8, while CVE-2026-15775 addresses an insufficient policy enforcement issue.
CVE-2026-15776, reported by security researcher Salvatore Gulizia, is a type confusion vulnerability in V8, which can cause memory corruption by allowing code to treat an object as a different type.
The release also fixes use-after-free bugs in the GPU, Core, Skia, and UI components. Additionally, it addresses insufficient validation and policy enforcement flaws in HTML-in-Canvas, Linux Toolkit Theming, Media, and Navigation.
Google credited its internal researchers, Microsoft researcher xinchaotian, and independent researcher Salvatore Gulizia for their reports included in this release. Some reporter information and reward amounts remain listed as “TBD.”
Users can install the update by opening Chrome, navigating to Settings, selecting “About Chrome,” and relaunching the browser after the update downloads.
Security teams should verify that managed endpoints are running Chrome version 150.0.7871.124 or later on Linux, and versions 150.0.7871.124/.125 or later on Windows and macOS.
Attackers Move in Seconds. Defenses Take Hours! Blackpoint Built the Answer – Attend a Free Webinar on AI SOC Agent to contain a live attack.
The post Chrome 150 Security Update Patches 15 Flaws, Including Two Critical Code Execution Ones appeared first on Cyber Security News.



