PROBABLYPWNED
VulnerabilitiesJuly 6, 20263 min read

Chrome 151 Patches 382 Flaws Including 15 Critical RCE Bugs

Google releases Chrome 151 fixing 382 vulnerabilities including 15 critical use-after-free and type confusion bugs enabling remote code execution across Windows, macOS, and Linux.

Marcus Chen

Google shipped Chrome 151 on July 1, patching an extraordinary 382 security vulnerabilities—including 15 critical bugs that could let attackers run arbitrary code through malicious web pages. This is among the largest single-release security updates in Chrome's history and affects Windows, macOS, Linux, and iOS deployments.

What Makes This Update Unusual

The sheer volume stands out. Of the 382 flaws, 15 carry critical severity ratings, 67 are rated high, 169 medium, and 131 low. Most of the critical issues are use-after-free vulnerabilities—memory corruption bugs where the browser continues referencing memory after it's been freed, allowing attackers to hijack that memory and execute code.

The critical CVEs span sensitive browser subsystems: Extensions, GPU abstraction, WebUSB, Chromoting (remote desktop), and display stacks. Type confusion bugs in the Dawn graphics library and insufficient validation in ANGLE and Skia rendering engines round out the high-impact list.

Critical CVE Details

The 15 maximum-severity vulnerabilities track as CVE-2026-13774 through CVE-2026-13788. Affected components include:

  • Extensions framework - Use-after-free enabling sandbox escape
  • GPU process - Memory corruption in graphics abstraction layer
  • WebUSB - Use-after-free when handling USB device connections
  • Chromoting - Remote desktop component memory handling flaw
  • Dawn graphics library - Type confusion vulnerability
  • ANGLE/Skia - Input validation failures in rendering engines

Google restricts full technical details until most users update, but the bug classes involved—UAF and type confusion—are the bread and butter of browser exploitation. These primitives reliably convert memory corruption into full code execution when weaponized.

AI-Powered Bug Hunting at Scale

What explains such a massive single-release patch count? Google found 358 of the 382 vulnerabilities internally using AI-powered fuzzing tools. Modern memory-safety tooling like AddressSanitizer, MemorySanitizer, and automated fuzzing frameworks are surfacing flaws that would have taken humans years to discover.

This represents both a security improvement and a disclosure management challenge. Finding bugs faster than attackers is good. Releasing 382 patches at once gives defenders a narrow window to update before exploitation begins.

Active Exploitation Concerns

At least one vulnerability, CVE-2026-11645, is confirmed by CISA as actively exploited in the wild. The agency added it to the Known Exploited Vulnerabilities catalog, requiring federal agencies to patch immediately.

The combination of critical severity, active exploitation, and widespread Chrome deployment makes this update urgent. Chrome's auto-update mechanism helps, but enterprise environments with managed browsers often lag behind consumer deployments.

Who Needs to Act

Every Chrome installation across Windows, macOS, Linux, and iOS requires updating to version 151 (build 150.0.7871.46 on desktop). Enterprise administrators should prioritize pushing this update through management consoles rather than waiting for users to restart browsers naturally.

Organizations running Chromium-based browsers—Edge, Brave, Opera, and others—should monitor for corresponding patches from those vendors. The underlying vulnerabilities affect the shared Chromium codebase.

How to Update

Chrome typically updates automatically, but manual verification ensures you're protected:

  1. Open Chrome menu (three dots) → Help → About Google Chrome
  2. Chrome will check for and install updates
  3. Click "Relaunch" to complete the update

For enterprises, use group policy or Chrome Browser Cloud Management to force immediate updates across your fleet.

Why This Matters

Browser vulnerabilities remain the primary initial access vector for targeted attacks. A single malicious page can compromise a system if the browser is unpatched. The Cursor IDE vulnerabilities we covered recently showed how even development tools face browser-adjacent risks, and attackers increasingly chain browser flaws with AI tool exploitation for initial access.

Patch now. The 15 critical vulnerabilities alone justify treating this as an emergency update, and active exploitation of at least one CVE means attackers aren't waiting.

Related Articles