Chrome 151 Patches 382 Flaws Including 15 Critical RCE Bugs
Google releases Chrome 151 fixing 382 vulnerabilities including 15 critical use-after-free and type confusion bugs enabling remote code execution across Windows, macOS, and Linux.
Google shipped Chrome 151 on July 1, patching an extraordinary 382 security vulnerabilities—including 15 critical bugs that could let attackers run arbitrary code through malicious web pages. This is among the largest single-release security updates in Chrome's history and affects Windows, macOS, Linux, and iOS deployments.
What Makes This Update Unusual
The sheer volume stands out. Of the 382 flaws, 15 carry critical severity ratings, 67 are rated high, 169 medium, and 131 low. Most of the critical issues are use-after-free vulnerabilities—memory corruption bugs where the browser continues referencing memory after it's been freed, allowing attackers to hijack that memory and execute code.
The critical CVEs span sensitive browser subsystems: Extensions, GPU abstraction, WebUSB, Chromoting (remote desktop), and display stacks. Type confusion bugs in the Dawn graphics library and insufficient validation in ANGLE and Skia rendering engines round out the high-impact list.
Critical CVE Details
The 15 maximum-severity vulnerabilities track as CVE-2026-13774 through CVE-2026-13788. Affected components include:
- Extensions framework - Use-after-free enabling sandbox escape
- GPU process - Memory corruption in graphics abstraction layer
- WebUSB - Use-after-free when handling USB device connections
- Chromoting - Remote desktop component memory handling flaw
- Dawn graphics library - Type confusion vulnerability
- ANGLE/Skia - Input validation failures in rendering engines
Google restricts full technical details until most users update, but the bug classes involved—UAF and type confusion—are the bread and butter of browser exploitation. These primitives reliably convert memory corruption into full code execution when weaponized.
AI-Powered Bug Hunting at Scale
What explains such a massive single-release patch count? Google found 358 of the 382 vulnerabilities internally using AI-powered fuzzing tools. Modern memory-safety tooling like AddressSanitizer, MemorySanitizer, and automated fuzzing frameworks are surfacing flaws that would have taken humans years to discover.
This represents both a security improvement and a disclosure management challenge. Finding bugs faster than attackers is good. Releasing 382 patches at once gives defenders a narrow window to update before exploitation begins.
Active Exploitation Concerns
At least one vulnerability, CVE-2026-11645, is confirmed by CISA as actively exploited in the wild. The agency added it to the Known Exploited Vulnerabilities catalog, requiring federal agencies to patch immediately.
The combination of critical severity, active exploitation, and widespread Chrome deployment makes this update urgent. Chrome's auto-update mechanism helps, but enterprise environments with managed browsers often lag behind consumer deployments.
Who Needs to Act
Every Chrome installation across Windows, macOS, Linux, and iOS requires updating to version 151 (build 150.0.7871.46 on desktop). Enterprise administrators should prioritize pushing this update through management consoles rather than waiting for users to restart browsers naturally.
Organizations running Chromium-based browsers—Edge, Brave, Opera, and others—should monitor for corresponding patches from those vendors. The underlying vulnerabilities affect the shared Chromium codebase.
How to Update
Chrome typically updates automatically, but manual verification ensures you're protected:
- Open Chrome menu (three dots) → Help → About Google Chrome
- Chrome will check for and install updates
- Click "Relaunch" to complete the update
For enterprises, use group policy or Chrome Browser Cloud Management to force immediate updates across your fleet.
Why This Matters
Browser vulnerabilities remain the primary initial access vector for targeted attacks. A single malicious page can compromise a system if the browser is unpatched. The Cursor IDE vulnerabilities we covered recently showed how even development tools face browser-adjacent risks, and attackers increasingly chain browser flaws with AI tool exploitation for initial access.
Patch now. The 15 critical vulnerabilities alone justify treating this as an emergency update, and active exploitation of at least one CVE means attackers aren't waiting.
Related Articles
Chrome V8 Zero-Day Under Active Exploitation — Update Now
Google patches CVE-2026-11645, the fifth actively exploited Chrome zero-day of 2026. The V8 out-of-bounds memory flaw enables sandbox code execution via malicious web pages.
Jun 10, 2026Exim Mail Server RCE Requires Zero Auth—Patch to 4.99.3 Now
CVE-2026-45185 is a use-after-free in Exim affecting GnuTLS builds with BDAT support. Unauthenticated attackers can achieve remote code execution via crafted SMTP traffic.
Jun 7, 2026Chrome 148 Patches 79 Vulnerabilities Including 14 Critical Flaws
Google's May 2026 Chrome update addresses 79 security issues with 14 rated critical. Memory corruption bugs dominate—update immediately to version 148.0.7778.167.
May 15, 2026Bad Epoll: Linux Kernel Flaw Grants Root on Servers and Android
CVE-2026-46242 exploits a use-after-free race in Linux epoll, giving unprivileged users root access with 99% reliability. Servers and Android devices at risk.
Jul 4, 2026