Skip to content

Chrome keeps shipping critical patches, and Google is finding most of the bugs itself

Chrome 150 Update Patches 27 Bugs, Two Critical Flaws Fixed

Google shipped a new Chrome 150 security update on July 8, 2026, patching 27 vulnerabilities including two critical flaws that could let an attacker hijack the browser. Both critical bugs are use after free issues, one in Chrome’s Ozone component and one in Views, and Google’s own security team found both before anyone outside the company noticed.

That detail matters more than the bug count. Nine days earlier, Chrome shipped a patch covering 382 vulnerabilities. The pace of these updates, and who keeps finding the bugs, says something about how Chrome’s security testing has changed this year.

TL;DR: Chrome 150.0.7871.114 fixes 27 vulnerabilities, including two critical use after free bugs in Ozone and Views that Google’s own engineers found first. Only three of the 27 fixes came from outside researchers, who split $3,000 in bounty rewards combined. This is Chrome’s second major security patch in nine days, following a 382 bug fix on June 30. The update installs automatically, but restarting the browser is what actually applies it.

What the Chrome 150 security update actually fixes

The Chrome 150 security update moves the stable channel to version 150.0.7871.114 on Linux and 150.0.7871.114/.115 on Windows and Mac, rolling out gradually over the coming days and weeks. Twenty seven vulnerabilities are patched in total.

The two critical flaws are CVE-2026-15112, a use after free bug in Ozone that Google reported internally on May 29, and CVE-2026-15129, a use after free bug in Views reported on June 15. Both components sit close to how Chrome renders and manages windows, which is part of why a use after free bug there earns a critical rating instead of high.

Thirteen of the 27 fixes are use after free defects in total, spread across Extensions, Autofill, Payments, WebRTC, Forms, and Input. The rest cover uninitialized memory, integer overflow, out of bounds reads and writes, and gaps in how Chrome validates untrusted input from web pages.

Chrome updateRelease dateVulnerabilities fixedCritical bugs
Chrome 14918
Chrome 150 (150.0.7871.46/.47)June 30, 202638215
Chrome 150 (150.0.7871.114/.115)July 8, 2026272

Google is finding these bugs before anyone else does

Only three of the 27 vulnerabilities in this update were reported by researchers outside Google. Pierre Langlois at Arm and Jihyeon Jeong, a research intern at Seoul National University’s Compsec Lab, each received $500 for separate bugs, and a researcher at Ant Group’s Tianqiong Security Lab received $2,000 for a use after free bug in IndexedDB. That is $3,000 total in external bounty payouts on an update that fixes 27 flaws.

Everything else, including both critical bugs, came from Google’s own security team using tools like AddressSanitizer, libFuzzer, and Control Flow Integrity checks built into Chrome’s own testing pipeline. SecurityWeek reported that Google’s internal discoveries have outpaced external bug bounty submissions for months, a shift the outlet links to Google applying AI assisted fuzzing more aggressively across Chrome’s codebase.

That is not a bad outcome. A bug Google finds before shipping never reaches an attacker. But it also means the number of vulnerabilities being found each month keeps climbing, and 27 is a light month by 2026 standards.

Why Chrome keeps shipping patches this fast

This is Chrome’s second major security update in nine days. On June 30, Google shipped a patch covering 382 vulnerabilities, 15 of them critical, the largest single Chrome security update of the year so far. Before that, Chrome 149 resolved 18 severe vulnerabilities in a separate June update.

Since April, Google says it has fixed more than 1,400 Chrome vulnerabilities, and the updates released in June and July alone accounted for over 1,000 of those fixes. That pace is new. Chrome’s four week release cycle has not changed, but the volume of bugs found and patched within each cycle has grown sharply.

Code level bugs are only half of what Chrome is tightening right now. Google’s Chrome Web Store rules for extensions changed on a similar timeline, targeting a completely different kind of risk.

What to actually do about this update

Chrome installs the 150.0.7871.114 update automatically in the background, but the fix does not take effect until the browser restarts. Open chrome://settings/help to confirm the version number, and Chrome will finish applying any pending update the moment that page loads.

Google has not said either critical bug is being actively exploited, and its advisory names the affected components without describing exact attack paths, which is standard practice while a fix is still rolling out. Waiting a day or two to restart your browser is not usually dangerous, but leaving Chrome open for weeks without a restart is exactly the kind of gap these updates are built to close.

For most people, the fix here is one restart away. The more interesting number is not 27, it is how few of those 27 bugs came from anyone Google does not already employ.

Leave a Reply

Your email address will not be published. Required fields are marked *