Chromium: 11 Vulnerabilities Patched, Two Critical Ozone Flaws Addressed
Google patched 11 Chromium vulnerabilities on July 16, 2026, including two critical "Use after free" flaws in the Ozone component.

Key findings
- 11 CVEs disclosed on July 16, 2026, impacting Chromium.
- Two critical "Use after free" vulnerabilities in the Ozone component were patched.
- High-severity flaws found in GPU, UI, Skia, Core, and V8 components across platforms.
- No active exploitation in the wild reported for this batch.
- Patched in Google Chrome version 150.0.7871.125.
On July 16, 2026, Google released a significant security update for its Chromium browser, addressing a batch of 11 vulnerabilities disclosed on the same day. The update, which corresponds to Chrome version 150.0.7871.125, includes two critical flaws related to "Use after free" in the Ozone component, affecting multiple platforms including Linux and Windows. These vulnerabilities could allow remote attackers to exploit heap corruption or perform sandbox escapes via crafted HTML pages.
Several of the disclosed vulnerabilities stem from "Use after free" errors in various components. CVE-2026-15765 and CVE-2026-15764, both rated critical, specifically target the Ozone component on different platforms. High-severity "Use after free" flaws were also found in the GPU component on Android (CVE-2026-15772), the UI component on Linux (CVE-2026-15777), and the Skia graphics library (CVE-2026-15774). Another "Use after free" vulnerability in the Core component on Windows (CVE-2026-15773) also carries a high severity rating.
Beyond memory corruption issues, other vulnerabilities include insufficient policy enforcement in HTML-in-Canvas (CVE-2026-15768, High) and insufficient validation of untrusted input in Navigation (CVE-2026-15778, Medium) and Media (CVE-2026-15771, High). The latter two could allow attackers to bypass navigation restrictions or obtain sensitive information. Additionally, an "Uninitialized Use" vulnerability in Skia (CVE-2026-15766, High) could lead to the disclosure of sensitive process memory. An "Inappropriate implementation" in the V8 JavaScript engine (CVE-2026-15775, High) also poses a risk by allowing bypass of the same-origin policy.
While multiple news outlets reported on these updates, including Vypr Intelligence and Cyber Security News, none indicated active exploitation in the wild for this specific batch of vulnerabilities. However, the presence of critical severity flaws, particularly the "Use after free" bugs in Ozone, highlights the importance of prompt patching.
The vulnerabilities were addressed in Google Chrome version 150.0.7871.125. Users are strongly advised to update their browsers to this version or later to mitigate the risks associated with these security flaws. The gradual rollout of updates means users should remain vigilant and ensure their browsers are updated as soon as possible.
This coordinated disclosure of 11 vulnerabilities underscores the ongoing efforts to secure the Chromium ecosystem. Users should remain aware of the importance of keeping their browsers updated, as new vulnerabilities are discovered and patched regularly. The focus on memory safety issues like "Use after free" in this batch indicates a continued area of concern for browser security.