VYPR
patchPublished Jul 9, 2026· Updated Jul 10, 2026· 1 source

Chromium: 25 Vulnerabilities Patched in Single July 2026 Disclosure Event

Key findings • Google patched 25 vulnerabilities in Chromium on July 9, 2026, including critical use-after-free and inappropriate implementation flaws. • Vulnerabilities affected numerous Chr…

Key findings

  • Google patched 25 vulnerabilities in Chromium on July 9, 2026, including critical use-after-free and inappropriate implementation flaws.
  • Vulnerabilities affected numerous Chrome components such as Forms, Extensions, Navigation, V8, and Codecs.
  • The update addresses risks including arbitrary code execution, sandbox escapes, and UXSS.
  • Critical flaws CVE-2026-15129 and CVE-2026-15112 were among the most severe issues patched.
  • The update brings Chrome to version 150.0.7871.115 on Windows/macOS and 150.0.7871.114 on Linux.

On July 9, 2026, Google released Chrome version 150.0.7871.115 for Windows and macOS, and version 150.0.7871.114 for Linux, to address a significant batch of 25 vulnerabilities. This coordinated disclosure event included a range of issues, with a particular focus on "use after free" errors and "inappropriate implementation" flaws across various components. The update addresses risks including arbitrary code execution, sandbox escapes, and cross-site scripting (UXSS).

Several vulnerabilities were grouped by their affected component:

Use After Free Vulnerabilities

A significant portion of the disclosed vulnerabilities were of the "use after free" type, indicating a common memory management issue. These flaws were found in components such as Extensions (CVE-2026-15110), Views (CVE-2026-15111, CVE-2026-15129), Input (CVE-2026-15118), Ozone (CVE-2026-15112), Actor (CVE-2026-15116), Autofill (CVE-2026-15113), Core (CVE-2026-15120), and WebRTC (CVE-2026-15121). These issues could allow attackers to exploit heap corruption or perform sandbox escapes. Notably, CVE-2026-15129 and CVE-2026-15112 were categorized as critical severity.

Inappropriate Implementation Vulnerabilities

Flaws categorized as "inappropriate implementation" were identified in Forms (CVE-2026-15128, CVE-2026-15125), Navigation (CVE-2026-15130, CVE-2026-15131), and WebGL (CVE-2026-15127). These vulnerabilities could lead to arbitrary script or HTML injection (UXSS) or allow attackers to bypass site isolation.

Other Vulnerability Classes

Additional vulnerabilities included a "Race" condition in GetUserMedia (CVE-2026-15119), which could lead to a sandbox escape, and "Uninitialized Use" in V8 (CVE-2026-15132), allowing arbitrary code execution within a sandbox. "Insufficient policy enforcement" was noted in Navigation (CVE-2026-15130, CVE-2026-15131) and Passwords (CVE-2026-15124), potentially enabling bypasses of site isolation or same-origin policies. "Insufficient validation of untrusted input" was found in Codecs (CVE-2026-15122) and WebAppInstalls (CVE-2026-15115), with the former allowing a sandbox escape and the latter a same-origin policy bypass. Out-of-bounds read and write vulnerabilities were present in Codecs (CVE-2026-15114), potentially leading to heap corruption.

The vulnerabilities were patched in Chrome version 150.0.7871.115. Users are strongly advised to update to this version to protect against potential exploitation. While no specific threat actors or campaigns were mentioned in the advisories, the sheer number and severity of the vulnerabilities underscore the importance of timely patching for all users.

This batch of vulnerabilities highlights the ongoing challenges in securing complex software like web browsers. The variety of bug classes and affected components indicates the need for continuous security auditing and robust development practices. Users should remain vigilant and ensure their browsers are updated promptly following such disclosure events. Vypr Intelligence Cyber Security News

Synthesized by Vypr AI