Google Patches 27 Chrome Flaws, Two Rated Critical

Chrome 150 arrives with fixes for a string of memory-related bugs, most of them found by Google's own engineers rather than outside researchers.

ThreatVectr Newsdesk· 3 min read
Close-up top-down view of a sleek laptop keyboard with a shallow depth of field, the screen faintly glowing blue-white with an abstract grid of hexagonal shapes
Share

Key points

  • Google released Chrome 150 on a Wednesday in July 2025, fixing 27 security flaws in total.
  • Two of those flaws are rated critical, meaning attackers could use them to cause serious harm to affected machines.
  • External researchers reported only 3 of the 27 bugs and received a combined $3,000 in rewards.
  • Since April 2025, Google has patched more than 1,400 Chrome vulnerabilities, with over 1,000 fixed in June and July alone.
  • Chrome 150 is available now as version 150.0.7871.114/115 for Windows and macOS, and version 150.0.7871.114 for Linux.

Google has pushed out a security update for Chrome 150, fixing 27 vulnerabilities, including two it rates critical. Critical is the highest severity label Google applies, reserved for flaws that could let an attacker take meaningful control of a device without much help from the person sitting in front of it.

Both critical bugs are "use-after-free" errors, a class of memory flaw where a program accidentally keeps using a piece of memory it has already released, like picking up a phone call on a line that was supposed to be disconnected. Doing so can let attackers run their own code on the machine. One flaw sits in Chrome's Ozone component, which handles how the browser talks to the underlying operating system on Linux. The other is in Chrome's Views component, which manages the browser's visual interface elements. Google found both internally last month.

Across the full update, 13 of the 27 bugs are use-after-free flaws. Ten carry a high-severity rating. The rest of the fixes cover a range of other memory problems, including cases where data is read from the wrong place in memory, where numbers overflow their intended limits, and where the browser fails to properly check incoming data before acting on it.

Should ordinary Chrome users worry?

Not if they update immediately. None of these vulnerabilities are reported as actively exploited in the wild right now, meaning criminals have not been seen using them to attack people yet. That window can close quickly once a patch is public, because sophisticated attackers study what was fixed and work backwards to understand the flaw.

Updating takes about two minutes. In Chrome, click the three-dot menu in the top-right corner, choose Help, then About Google Chrome. The browser will check for the update and apply it. A restart completes the job.

The broader trend behind this update is worth noting. As SecurityWeek first flagged, Google has been finding the vast majority of its own bugs for more than two months, likely because it is using AI tools to scan its own code automatically. The result: far more flaws caught and fixed, but lower bounty payouts to outside researchers, since fewer outsiders are finding issues first. Since April, Google has fixed more than 1,400 Chrome vulnerabilities.

For businesses that manage Chrome across a fleet of employee computers, this is a routine but urgent patch cycle. Push the update through your device-management tools today.

© 2026 Threat Vectr