This Stable Channel update addresses 15 security vulnerabilities, including two critical memory safety issues in Ozone.
The update will be released gradually and may take days or even weeks to reach every desktop device.
Google advises both organizations and individual users to update Chrome as soon as the release becomes available.
Both are use-after-free vulnerabilities in Ozone, Chrome’s platform integration layer responsible for windowing, input, graphics, and display-related functions on supported operating systems.
Additionally, it addresses insufficient validation and policy enforcement flaws in HTML-in-Canvas, Linux Toolkit Theming, Media, and Navigation.
Google has rolled out Chrome version 150.0.7871.124/.125 for Windows and macOS, and version 150.0.7871.124 for Linux users. This Stable Channel update addresses 15 security vulnerabilities, including two critical memory safety issues in Ozone.
The update will be released gradually and may take days or even weeks to reach every desktop device. Google advises both organizations and individual users to update Chrome as soon as the release becomes available.
The most serious vulnerabilities are tracked as CVE-2026-15764 and CVE-2026-15765. Both are use-after-free vulnerabilities in Ozone, Chrome’s platform integration layer responsible for windowing, input, graphics, and display-related functions on supported operating systems.
A use-after-free flaw occurs when software continues to access memory after it has been released. An attacker could potentially manipulate this memory to force the application to execute unintended code. In a browser scenario, an attacker could use a specially crafted website or web content to trigger this flaw.
CVE Severity Vulnerability Affected component CVE-2026-15764 Critical Use-after-free Ozone CVE-2026-15765 Critical Use-after-free Ozone CVE-2026-15766 High Uninitialized use Skia CVE-2026-15767 High Heap buffer overflow libyuv CVE-2026-15768 High Insufficient policy enforcement HTML-in-Canvas CVE-2026-15769 High Insufficient validation of untrusted input Linux Toolkit Theming CVE-2026-15770 High Uninitialized use V8 CVE-2026-15771 High Insufficient validation of untrusted input Media CVE-2026-15772 High Use-after-free GPU CVE-2026-15773 High Use-after-free Core CVE-2026-15774 High Use-after-free Skia CVE-2026-15775 High Insufficient policy enforcement V8 CVE-2026-15776 High Type confusion V8 CVE-2026-15777 High Use-after-free UI CVE-2026-15778 Medium Insufficient validation of untrusted input Navigation
Google has rated both Ozone vulnerabilities as critical. While the company has not released detailed technical information about the exploits, their severity suggests they could lead to code execution under certain conditions.
Google plans to keep bug information restricted until most Chrome users have installed the necessary fixes to reduce the risk of attackers weaponizing the vulnerabilities against unpatched systems.
Chrome 150 also fixes several high-severity bugs across key browser components. These include CVE-2026-15766, an uninitialized-use flaw in Skia (Chrome’s graphics rendering library), and CVE-2026-15767, a heap buffer overflow in libyuv, a library used for image and video format conversion.
Other high-severity vulnerabilities affect V8, Chrome’s JavaScript and WebAssembly engine. CVE-2026-15770 pertains to uninitialized memory use in V8, while CVE-2026-15775 addresses an insufficient policy enforcement issue.
CVE-2026-15776, reported by security researcher Salvatore Gulizia, is a type confusion vulnerability in V8, which can cause memory corruption by allowing code to treat an object as a different type.
The release also fixes use-after-free bugs in the GPU, Core, Skia, and UI components. Additionally, it addresses insufficient validation and policy enforcement flaws in HTML-in-Canvas, Linux Toolkit Theming, Media, and Navigation.
Google credited its internal researchers, Microsoft researcher xinchaotian, and independent researcher Salvatore Gulizia for their reports included in this release. Some reporter information and reward amounts remain listed as “TBD.”
Users can install the update by opening Chrome, navigating to Settings, selecting “About Chrome,” and relaunching the browser after the update downloads.
Security teams should verify that managed endpoints are running Chrome version 150.0.7871.124 or later on Linux, and versions 150.0.7871.124/.125 or later on Windows and macOS.
Attackers Move in Seconds. Defenses Take Hours! Blackpoint Built the Answer – Attend a Free Webinar on AI SOC Agent to contain a live attack.