Google shipped an urgent update for its Chrome browser today, patching a high-severity vulnerability that could let remote attackers execute arbitrary code within the browser’s sandbox. The flaw, tracked as CVE-2026-13845, is a use-after-free bug in Chrome’s DOM (Document Object Model) handling and affects all platforms: Windows, macOS, and Linux. The fix arrives in Chrome version 150.0.7871.47, and the company has confirmed the vulnerability could be triggered simply by visiting a malicious webpage.
A Patch for a Sandbox-Side Threat
The update, detailed in Google’s latest Chrome release advisory, addresses a memory management error inside the browser’s DOM engine. Use-after-free vulnerabilities occur when a program tries to access memory that has already been freed, leaving the door open for attackers to inject and execute their own code. In this case, the bug sits in a core component that processes web page structure, meaning exploit code could be tucked inside what looks like an ordinary HTML document.
Chrome’s security team has rated the vulnerability as high severity, a notch below the critical ranking reserved for bugs that can compromise the entire operating system. But that doesn’t make CVE-2026-13845 any less dangerous for everyday browsing. Google hasn’t revealed technical details of the flaw—a standard practice to give users time to patch—but it has acknowledged that an exploit already exists in the wild, according to internal sources. This elevates the update from routine maintenance to a must-install patch for anyone running Chrome.
What the Flaw Lets Attackers Do
CVE-2026-13845 targets a specific sequence of operations within Chrome’s DOM code. When a web page frees a memory object but later tries to use it again, the browser can end up reading or writing to a memory location no longer owned by that object. An attacker who controls the contents of that freed memory can hijack the execution flow and run their own code—within the confines of Chrome’s sandbox.
In practical terms, a remote attacker could craft a webpage that, when opened in an unpatched browser, executes arbitrary code on the victim’s machine with the privileges of the sandboxed renderer process. While the sandbox is designed to prevent direct access to the operating system kernel, code execution inside it still grants attackers significant power: they could steal cookies, capture keystrokes, alter page contents, or pair this bug with a second vulnerability to break out of the sandbox entirely. For the typical home user, this translates into a risk of drive-by attacks—no phishing link required, just a visit to a compromised or malicious site.
Enterprise environments face the same threat, multiplied across dozens or thousands of workstations. A single unpatched browser can become the entry point for lateral movement if the attacker manages to chain the sandboxed exploit with a local privilege escalation vulnerability. That’s why security teams treat high-severity browser bugs as imminent threats, not theoretical ones.
How Chrome’s Sandbox Limits the Damage
Chrome’s architecture isolates each tab and extension in a separate, restricted process. This sandbox imposes a strict security boundary: the renderer process has no direct access to the file system, network, or other processes unless explicitly granted. A successful exploit of CVE-2026-13845 therefore grants the attacker control only inside this sandbox cage—powerful, but not all-powerful.
To turn a sandboxed code execution into a full system compromise, an attacker would need a second vulnerability, commonly called a sandbox escape. Such bugs are rarer and more valuable on the exploit market, but they do exist. In 2024, for example, a similar DOM use-after-free in Chrome was paired with a kernel bug in a watering hole attack targeting a financial sector. There’s no evidence yet that CVE-2026-13845 is being chained, but Google’s acknowledgment of in-the-wild exploitation suggests at least one attack campaign is leveraging it.
For users, the sandbox remains a critical defense-in-depth layer. It buys time and forces attackers to do more work, often triggering detection by endpoint security tools in the process. Still, the best defense is to never let them get inside in the first place—and that means applying the update immediately.
The Road to Chrome 150
Chrome’s rapid release cycle has been a double-edged sword for security. On one hand, fixes like today’s can go from report to patch in under 24 hours when a zero-day is involved. On the other, the sheer speed of development—Chrome 150 arrives less than two months after version 149—means the attack surface is constantly shifting. DOM use-after-free bugs are a recurring theme; the browser’s V8 JavaScript engine and Blink rendering engine are complex C++ codebases where manual memory management still plays a role, despite ongoing efforts to add sandboxes and use safer languages like Rust.
CVE-2026-13845 is the seventh use-after-free flaw patched in Chrome’s DOM component this year alone, according to a review of public advisories. The pattern underscores why Google has expanded its bug bounty programs, with rewards for high-severity browser vulnerabilities now reaching up to $100,000. External researchers often find these bugs through fuzzing and code audits, but some are discovered internally during prophylactic code reviews.
The current vulnerability was reported by a researcher within Google’s Project Zero team, according to the advisory. Project Zero typically gives vendors 90 days to fix before disclosure, but when a bug is already being exploited, the turnaround shrinks to seven days or fewer. In this case, the patch was engineered and tested in under five days, a testament to the maturity of Chrome’s security response process.
How to Update Chrome Right Now
For most users, updating Chrome is straightforward and automatic. But given the severity of this flaw, a manual check ensures you’re protected immediately. Here’s how to do it on every platform:
| Platform | Steps |
|---|---|
| Windows/macOS | Click the three-dot menu → Help → About Google Chrome. The browser will check for updates and prompt a relaunch if one is found. |
| Linux | Use your package manager to update the google-chrome-stable package, or run Chrome and trigger the update via the same Help menu as above. |
| iOS/Android | Visit the App Store or Google Play Store, search for Chrome, and tap Update if available. |
After updating, confirm you’re running version 150.0.7871.47 or later by revisiting the About page. If the update doesn’t appear, close and reopen the browser—sometimes the background updater needs a kickstart.
For enterprise administrators, this is a moment to enforce patch compliance. Group Policy or MDM profiles can force browser updates and even restart Chrome silently. Google’s enterprise documentation outlines the relevant policies, including AutoUpdateCheckPeriodMinutes to scan more frequently and RestartNotification to suppress prompts for critical patches. The update is also available as an MSI installer for offline deployment.
Beyond updating, there’s little end users can do to mitigate this specific bug short of not browsing the web—hardly practical. Sites that rely heavily on complex DOM manipulation (such as those with interactive maps, online editors, or advertising networks) carry a slightly higher risk because they trigger more code paths in the rendering engine. But any page could theoretically host the exploit. Consider enabling Enhanced Safe Browsing in Chrome’s security settings for an extra layer of malware and phishing protection, though it doesn’t block memory corruption flaws directly.
Beyond This Patch
CVE-2026-13845 is a reminder that browser updates are not routine housekeeping; they are urgent security fixes. While Google’s aggressive patch cadence keeps most users safe, the gap between discovery and deployment is still measured in days—and for attackers, that’s a window of opportunity. Security teams should treat this Chrome release with the same urgency as any critical OS patch, and individual users should turn on automatic updates if they haven’t already.
Looking ahead, expect more details about the vulnerability to surface in the coming weeks once the user base has largely patched. Google will likely publish a technical deep-dive on its Chromium blog, and third-party researchers will integrate the flaw into detection tools. In the meantime, a quick visit to Chrome’s About page could be the most important click you make today.