All incidents

Chrome and Firefox patch critical use-after-free vulnerabilities

vulnerabilityopenJul 15, 2026 — Jul 17, 2026
Google Chrome 150 patches three critical Use After Free flaws

GOOGLE has released Chrome version 150.0.7871.128/.129, patching three critical use‑after‑free vulnerabilities that affect the browser on Windows, macOS and Linux. The update, announced on 16 July 2026, addresses flaws in the CameraCapture, GPU and Network components and follows a rapid report‑to‑fix cycle for the Network issue. Users are urged to apply the patch immediately to prevent potential compromise. Google’s Chrome release blog.

The CameraCapture flaw is tracked as CVE-2026-15718 with a CVSS score of 4.3, while the related issue CVE-2026-15719 carries a score of 5.4; both are classified as medium severity and involve improper memory handling when processing video streams. The GPU and Network weaknesses are identified as CVE-2026-15764 and CVE-2026-15765, each rated at CVSS 7.5 and classified as high severity due to their potential to allow arbitrary code execution.

Exploitation of these use‑after‑free conditions requires an attacker to lure a victim to a specially crafted web page that triggers the faulty memory access, after which malicious code could run with the privileges of the browser process. Google noted that the Network vulnerability was reported only six days before the patch was made available, highlighting the speed of the internal response. To date, there is no evidence of active exploitation in the wild for any of the four flaws.

According to a SecurityWeek report, Mozilla’s Firefox 152 update issued the same day addressed two critical flaws, CVE-2026-15718 and CVE-2026-15719, for which public exploit code has been observed. In contrast, Google’s Chrome advisory notes that none of its newly patched vulnerabilities are known to be exploited in attacks, although the flaws were discovered primarily by the company’s internal security teams. The simultaneous releases illustrate how browser vendors are coordinating responses to similar memory‑safety issues.

The batch of patches serves as a reminder that complex browser subsystems remain attractive targets for threat actors seeking to bypass sandbox protections. While no exploitation has been detected, the speed with which Google moved from report to fix demonstrates the value of streamlined vulnerability handling programmes. Organisations should treat browser updates as a priority comparable to operating‑system patches.

Defenders should start by confirming that all endpoints are running Chrome 150.0.7871.128 or later; the version number can be checked via the Chrome menu under Help → About Google Chrome. Where automatic updates are disabled, administrators can push the latest build through group policy or mobile device management tools, and users can force a check by navigating to chrome://settings/help. It is also sensible to review any recent abnormal browser crashes or unexpected plugin loads that might indicate an attempted exploit.

Finally, maintain up‑to‑date endpoint detection and response signatures, monitor web‑proxy logs for visits to unknown or newly registered domains, and consider isolating any system that exhibits suspicious behaviour until the patch has been verified. Because the rollout of the update may take several days, forcing the installation via the About page ensures immediate protection.

Intelligence briefing updated Jul 17, 2026

CVE-2026-15764 7.5 CVE-2026-15765 7.5 CVE-2026-15719 5.4 CVE-2026-15718 4.3
Root sourcechromereleases.googleblog.com
Timeline Coverage

Swipe to explore timeline