Google pushed out an emergency security patch for its Chrome browser on Tuesday, fixing a dangerous memory leak in the Skia graphics engine that could let malicious websites siphon off sensitive data from your PC. The update to version 150.0.7871.46 addresses CVE-2026-14414, a flaw that impacts all Chrome users on Windows, Mac, and Linux. If you’re still running an older build—anything below 150.0.7871.46—you are at risk.
What the Chrome 150 Update Actually Fixes
Chrome 150.0.7871.46 closes a memory leak in Skia, the 2D graphics library that handles everything from text rendering to complex image formats like WebP and AVIF. A memory leak occurs when the browser reserves memory for a task but never releases it after use. Over time, this can leave fragments of sensitive information—passwords, cookies, authentication tokens, or even system memory contents—dangling in the browser’s memory space. An attacker who lures you to a specially crafted website can trigger the leak and use side-channel reading techniques to steal that data.
Google hasn’t published the full technical breakdown, a common practice to give users time to patch before attackers reverse-engineer the fix. Still, the advisory classifies the vulnerability as high severity and notes it was reported by an external researcher. While Google hasn’t confirmed active exploitation, the timeline—an out-of-band update just days after the standard release cycle—suggests the flaw may have been caught being used in limited attacks.
The Skia library is a core component of Chromium, the open-source browser project that underpins Chrome, Microsoft Edge, Brave, Opera, Vivaldi, and many others. This means other browsers that rely on Chromium could be vulnerable until their vendors issue their own patches. Users of those browsers should check for updates immediately.
Who Should Worry—and How to Respond
For everyday users: The fix is trivial. Open Chrome, click the three-dot menu, go to Help > About Google Chrome, let the update download, and click Relaunch. That’s it. Chrome’s automatic update mechanism will eventually apply the patch, but manually triggering it ensures you’re protected right now. Do not ignore the update prompt. Each hour you delay leaves your system open to drive-by data theft.
For power users: If you run multiple Chrome profiles, keep dozens of tabs open, or have Chrome processes persisting in the background, a clean restart is critical. After updating, check Task Manager (Windows) or Activity Monitor (Mac) to make sure no stale chrome.exe processes are hanging around. Stale processes may still run the vulnerable version and expose data.
For IT administrators: This is a priority patch. Push the update via Group Policy (using Chrome’s administrative templates), SCCM, or your endpoint management platform. Google publishes an MSI installer for enterprise deployments that supports silent installation. If you manage Chromium-based browsers like Edge, contact those vendors for their advisory. In the meantime, consider blocking access to untrusted websites through your proxy or DNS filtering until all clients are patched.
Which browsers are affected?
Because Skia is part of the Chromium codebase, most Chromium-based browsers likely contain the same flawed code. Here’s a quick reference:
| Browser | Status |
|---|---|
| Google Chrome | Fixed in 150.0.7871.46 |
| Microsoft Edge | Awaiting patch (Microsoft typically follows within 24-48 hours) |
| Brave | Likely affected; check for updates |
| Opera | Likely affected; check for updates |
| Vivaldi | Likely affected; check for updates |
Always verify with the browser vendor before relying on this table.
The Big Picture: Why Skia Is a Frequent Target
Skia is a rich attack surface because it parses so many image formats—PNG, JPEG, GIF, WebP, AVIF, and more. Each format parser is a potential entry point for memory corruption. In the past two years alone:
- 2024: A heap buffer overflow in Skia’s WebP handling (CVE-2024-4947) allowed remote code execution via a malicious image.
- 2025: An out-of-bounds write in Skia’s AVIF decoder (CVE-2025-0119) was used in targeted attacks against journalists.
Memory leaks, while often less dramatic than code execution, are insidious. They don’t crash your browser; they silently bleed data. A string of characters from your bank page, a sliver of a session cookie—these fragments, when pieced together by an attacker, can unravel your digital life.
The rapid patching cadence of Chrome—a new milestone every four weeks, with bi-weekly stable refreshes—means fixes are never far away. But the burden is on users and admins to apply them. A Chrome update sits dormant until you restart the browser. How many days do you go between restarts?
How to Update Chrome Right Now (Step-by-Step)
- Open Chrome.
- Click the three vertical dots (⋮) in the top-right corner.
- Select Help > About Google Chrome.
- Chrome will check for updates automatically. If an update is available, it’ll start downloading.
- Once the download completes, click Relaunch.
- After the relaunch, go back to About Google Chrome to verify the version. You should see
150.0.7871.46 (Official Build) (64-bit)(or similar for your platform).
Mobile users: Android users, open the Play Store, search for Chrome, and tap Update. iOS users, open the App Store, tap your profile icon, find Chrome, and update.
Linux users: Use your distribution’s package manager. For Debian/Ubuntu: sudo apt update && sudo apt upgrade google-chrome-stable. For Fedora: sudo dnf upgrade google-chrome-stable.
If you can’t update immediately, avoid opening links from emails or messaging apps. Consider temporarily disabling JavaScript in Chrome’s site settings, but be aware many sites will break. The only solid protection is the patch.
What Comes Next
Google will publish a detailed security advisory in the coming days, likely after a majority of users have patched. Expect other Chromium-based browsers to release their own fixes quickly—Microsoft Edge, for instance, usually adapts Chrome’s security patches within a day or two. Network defenders should monitor for any increase in exploitation attempts; if this vulnerability was used in targeted attacks, it will soon be weaponized more broadly.
Longer term, this incident underscores the need for automatic, silent browser updates. Chrome’s auto-update works well, but the restart requirement is the weak link. Some enterprise tools can force a restart after a set period; evaluate whether your organization’s fleet can benefit from such policies. For home users, the best defense is habit: close your browser at the end of the day. That simple act ensures you wake up to the latest, most secure version.