VYPR
Published Jul 16, 2026· Updated Jul 17, 2026· 1 source

Google Chrome: 15 Vulnerabilities Patched, Including Critical Ozone Flaws

Key findings • Google Chrome version 150.0.7871.125 patches 15 vulnerabilities disclosed on July 16, 2026. • Two critical use-after-free vulnerabilities in the Ozone component (CVE-2026-15764

Key findings

  • Google Chrome version 150.0.7871.125 patches 15 vulnerabilities disclosed on July 16, 2026.
  • Two critical use-after-free vulnerabilities in the Ozone component (CVE-2026-15764, CVE-2026-15765) were addressed.
  • Flaws include heap buffer overflows, insufficient validation, and inappropriate implementations across various components like libyuv, Skia, and V8.
  • Vulnerabilities affect multiple platforms including Windows, Linux, and Android.
  • While exploit code may be public for some related flaws, no active exploitation in the wild is reported for this batch.

On July 16, 2026, Google released a batch of 15 security advisories for its Chrome browser, addressing a range of vulnerabilities including critical flaws in the Ozone component. These updates, all published on the same day, aim to fix memory corruption issues and other security weaknesses that could allow remote attackers to execute code or gain sensitive information. The most severe of these, CVE-2026-15764 and CVE-2026-15765, are critical use-after-free vulnerabilities within the Ozone layer, which handles platform integration for windowing, input, and graphics.

Several vulnerabilities fall under the category of "Use after free," a common memory corruption bug. These include CVE-2026-15765 and CVE-2026-15764, both critical flaws in Ozone affecting Windows and Linux respectively, which could lead to heap corruption. CVE-2026-15772, a high-severity use-after-free in the GPU component on Android, and CVE-2026-15777 in the UI component on Linux, also pose significant risks, potentially allowing for sandbox escapes or heap corruption. Further use-after-free vulnerabilities were identified in Skia (CVE-2026-15774) and Core (CVE-2026-15773) components, both rated high severity and capable of leading to sandbox escapes.

Beyond use-after-free bugs, other notable vulnerabilities include a heap buffer overflow in libyuv (CVE-2026-15767), a high-severity flaw on Windows that could allow arbitrary code execution within a sandbox via a crafted video file. Insufficient validation of untrusted input was also a recurring theme, with CVE-2026-15778 in Navigation and CVE-2026-15769 in Linux Toolkit Theming, both high-severity flaws that could lead to sandbox escapes. CVE-2026-15771 in the Media component on Windows, also rated high, could allow sensitive information disclosure. Additionally, insufficient policy enforcement in HTML-in-Canvas (CVE-2026-15768) and inappropriate implementations in V8 (CVE-2026-15775, CVE-2026-15776) were disclosed, with the latter potentially allowing arbitrary code execution. Uninitialized use in Skia (CVE-2026-15766) and V8 (CVE-2026-15770) could lead to information disclosure.

The batch of vulnerabilities was disclosed on July 16, 2026, with Google releasing Chrome version 150.0.7871.125 to address these issues. While some related advisories mention that exploit code for certain vulnerabilities may be public, there is no indication of active exploitation in the wild for this specific batch of Chrome flaws. Users are advised to update to the latest version to protect themselves from potential attacks.

This coordinated disclosure highlights the ongoing efforts to secure complex software like web browsers. The variety of vulnerabilities, from memory corruption to input validation flaws, underscores the multifaceted nature of browser security. Users should remain vigilant and ensure their browsers are updated promptly to mitigate risks associated with newly discovered security weaknesses. The consistent patching of such issues is crucial for maintaining the integrity and security of the web ecosystem.

Synthesized by Vypr AI