Google Chrome: 25 Vulnerabilities Patched in Single July 2026 Disclosure Event
Google released Chrome 150.0.7871.115 patching 25 vulnerabilities, including critical use-after-free and implementation flaws across multiple components.

Key findings
- Google patched 25 vulnerabilities in Chrome on July 9, 2026, including critical use-after-free and inappropriate implementation flaws.
- Vulnerabilities affected numerous Chrome components such as Forms, Extensions, Navigation, and V8.
- The update addresses risks including arbitrary code execution, sandbox escapes, and UXSS.
- Critical flaws CVE-2026-15129 and CVE-2026-15112 were among the most severe issues patched.
- The update brings Chrome to version 150.0.7871.115 on Windows/macOS and 150.0.7871.114 on Linux.
On July 9, 2026, Google released Chrome version 150.0.7871.115 to address a significant batch of 25 vulnerabilities, with a particular focus on "use after free" errors and "inappropriate implementation" flaws. This coordinated disclosure event highlights ongoing security challenges within the widely used web browser. The vulnerabilities span various components, including Forms, Extensions, Navigation, InterestGroups, GetUserMedia, Views, V8, IndexedDB, Payments, Codecs, Input, DOM, Passwords, Ozone, Actor, Autofill, WebGL, WebAppInstalls, and Core.
Several vulnerabilities fall into the "use after free" category, a common memory corruption issue. These include CVE-2026-15110, CVE-2026-15133, CVE-2026-15111, CVE-2026-15117, CVE-2026-15126, CVE-2026-15118, CVE-2026-15129, CVE-2026-15112, CVE-2026-15120, and CVE-2026-15113. These flaws, depending on the component, could allow remote attackers to execute arbitrary code, exploit heap corruption, or perform sandbox escapes through crafted web pages, malicious extensions, or specific UI gestures. Notably, CVE-2026-15129 and CVE-2026-15112 were identified as critical severity vulnerabilities by Chromium security.
Another significant group of vulnerabilities involves "inappropriate implementation" and "insufficient policy enforcement" issues. These include CVE-2026-15128, CVE-2026-15130, CVE-2026-15131, CVE-2026-15125, CVE-2026-15124, and CVE-2026-15127. These vulnerabilities could lead to cross-site scripting (UXSS), bypass of site isolation, or bypass of the same-origin policy, all potentially exploitable via crafted HTML pages.
The batch also includes vulnerabilities related to input validation and other memory corruption issues. CVE-2026-15119 (Race in GetUserMedia) and CVE-2026-15122 (Insufficient validation of untrusted input in Codecs) could lead to sandbox escapes. CVE-2026-15132 (Uninitialized Use in V8) and CVE-2026-15114 (Out of bounds read and write in Codecs) present risks of arbitrary code execution and heap corruption, respectively. CVE-2026-15107 (Use after free in IndexedDB) is a medium severity vulnerability that could allow arbitrary code execution. CVE-2026-15108, an integer overflow in the Extensions API, could lead to an out-of-bounds memory read.
The vulnerabilities were addressed in Chrome Stable updates to version 150.0.7871.114/.115 on Windows and macOS, and 150.0.7871.114 on Linux. Users are strongly advised to update their Chrome browsers to the latest version to mitigate these security risks. The coordinated disclosure of these numerous vulnerabilities underscores the importance of timely patching and continuous security vigilance for widely used software like Google Chrome.
The sheer volume and variety of vulnerabilities patched in this single update emphasize the complexity of modern browser security. While many of these flaws are high or critical severity, the prompt patching by Google mitigates the immediate risk to users. However, it serves as a reminder that browser security is an ongoing battle, requiring constant development, testing, and rapid response to emerging threats. Users should remain vigilant and ensure their browsers are always up to date.