Google has shipped Chrome 150.0.7871.46 to the Stable channel, and this is not a routine refresh. The update closes CVE-2026-14390, a use-after-free vulnerability in Chrome’s ANGLE graphics translation layer that carries a High severity rating. The flaw could let a remote attacker execute arbitrary code or crash the browser on Windows systems—simply by convincing a user to visit a malicious webpage.
What exactly changed in this release
The jump to version 150.0.7871.46 is a security patch release, not a feature drop. The sole documented fix is for CVE-2026-14390, a memory safety bug in ANGLE—the component that converts WebGL and OpenGL ES calls into native graphics API instructions. On Windows, ANGLE translates those calls into Direct3D, making it a critical piece of the rendering pipeline for web-based games, 3D maps, and WebGL content.
Use-after-free vulnerabilities occur when a program continues to access a memory location after it has been freed. In Chrome’s multi-process architecture, such a bug in the GPU process or a renderer that touches ANGLE could be exploited to corrupt memory, escape the sandbox, or execute attacker-controlled code. Google’s advisory stops short of confirming active exploitation, but the “High” label and the rapid, out-of-cycle release underscore the danger. This patch landed outside the usual bi-weekly Stable refresh cadence, a signal that the Chrome security team considered the fix urgent.
The updated builds are:
- Chrome for Windows: 150.0.7871.46 (64-bit and 32-bit)
- Chrome for macOS: 150.0.7871.46
- Chrome for Linux: 150.0.7871.46
All prior versions—150.0.7871.45 and earlier—are vulnerable.
What it means for Windows users
For everyday home users
If you use Chrome on a Windows laptop or desktop, you are in the direct line of fire. ANGLE is a Windows-first technology. While the component exists on macOS and Linux, its role on those platforms is less central because native OpenGL drivers are more common. On Windows, ANGLE is the default pathway for nearly all WebGL content. That means nearly every Windows Chrome installation is susceptible.
Attack scenario: a user clicks a link in an email, social media post, or ad, landing on a page that hosts specially crafted WebGL code. The malicious page exploits the use-after-free bug to hijack the GPU process. From there, an attacker might chain the bug with another flaw to break out of the sandbox and install malware, steal cookies, or monitor keystrokes. Because WebGL can run without the user’s explicit permission, no interaction beyond loading the page is necessary.
The good news: Chrome’s built-in updater will download and install version 150.0.7871.46 automatically as soon as it can make a connection to Google’s servers. If you leave Chrome running, it will prompt you to relaunch after the download completes. You can speed the process up by visiting chrome://settings/help and checking for updates manually.
For IT administrators and enterprise deployments
Organizations that manage Chrome via Group Policy, Configuration Manager, or third-party patch tools face a tighter clock. Zero-day or near-zero-day exploitation is always a concern when a patch ships solo and labeled High. Your immediate to-do list:
- Identify vulnerable endpoints. Any machine running Chrome < 150.0.7871.46 is a risk. Use your asset inventory or endpoint management console to query Chrome versions.
- Deploy the update. Google publishes Enterprise MSIs for every Stable release. Download the 150.0.7871.46 MSI from the Enterprise download page and push it via your software distribution system. Google’s Chrome Browser Management console can also force updates for managed browsers.
- Test compatibility. Because ANGLE sits between the browser and the graphics driver, certain legacy GPU driver versions might interact unexpectedly with the patch. Pilot the update on a representative sample of hardware—especially machines with older Intel HD Graphics or discrete AMD/NVIDIA cards that rely on driver-specific ANGLE workarounds.
- Monitor for Chromium-based Edge. Microsoft Edge shares the Chromium engine and, depending on the release schedule, may also be affected by CVE-2026-14390. As of this writing, Microsoft has not issued a corresponding Edge patch, but admins should watch for Edge 150.x updates and apply them promptly when available.
- Reinforce browser security settings. While the patch is the ultimate fix, consider temporarily enforcing site isolation (
chrome://flags/#enable-site-per-process) or disabling WebGL via Group Policy (DisableWebGL: true) on critical workstations until patching is complete—only if your business apps can tolerate the break.
For developers and power users
If you tinker with WebGL or maintain websites that use 3D graphics, verify that your applications continue to render correctly after the update. Past ANGLE patches have occasionally introduced subtle regressions in shader compilation or texture filtering. Test on the latest Chrome version before your users get the update automatically.
How we arrived at this point
Chrome’s release history is peppered with ANGLE-related CVEs. The component’s complexity—bridging two entirely different graphics paradigms—makes it a magnet for memory safety bugs. In 2025 alone, the Chromium project disclosed over a dozen use-after-free vulnerabilities across its codebase, several in GPU-related subsystems. ANGLE, being a large and actively maintained translation layer, regularly surfaces these issues as the team adds support for new WebGL extensions or optimizes driver compatibility.
Chrome 150 itself launched quietly in early 2026 with the usual mix of new web platform features and under-the-hood performance tweaks. This emergency patch, released just days after the 150 milestone, suggests the vulnerability was severe enough—or the exploitation risk high enough—to justify breaking the normal release cadence.
Historically, use-after-free bugs in Chrome’s GPU process have been exploited in the wild. While Google has not confirmed any active attacks leveraging CVE-2026-14390, the vulnerability’s classification as “High” and the patch’s nature as a singleton fix align with patterns seen before targeted attacks emerge. The company’s policy is to disclose technical details only once the majority of users have updated, so specifics on the vulnerability’s trigger will remain scarce for weeks.
What to do right now
Step 1: Verify your Chrome version. Open the three-dot menu, navigate to Help > About Google Chrome. The version number appears prominently. If it reads anything other than 150.0.7871.46, you are out of date.
Step 2: Update immediately. On the About page, Chrome will begin checking for updates. If an update is available, it downloads automatically. After the download, click “Relaunch.” Save your work beforehand—Chrome will restore your tabs, but unsaved form data may be lost.
Step 3: If the update fails, exit Chrome completely (ensure no chrome.exe processes remain in Task Manager) and re-launch. Occasionally, a stuck background process prevents the updater from working. If you manage Chrome via enterprise policy, forced updates may override manual checks; consult your IT department.
Step 4: Confirm the update took. After relaunch, return to Help > About to verify the new version string. You should see “Google Chrome is up to date – Version 150.0.7871.46 (Official Build) (64-bit)” (or 32-bit, depending on your architecture).
Step 5: Enable automatic updates if disabled. Some power users or corporate policies disable Google Update. Automatic updates are the single most effective defense against browser-based attacks. Unless you have a concrete, business-critical reason to control update timing, leave auto-update on.
Beyond Chrome, this is a good moment to check your other browsers. If you use Brave, Opera, Vivaldi, or any other Chromium fork, their vendors typically import security fixes within days of Chrome’s release. Check for updates in those browsers too—especially if you rely on them for sensitive work.
Outlook: what to watch next
Google will likely follow up with a post on the Chrome Releases blog, offering attribution credit to the researcher who reported CVE-2026-14390 and possibly revealing the bug’s nature once the patch has saturated the user base. Until then, treat this as a live, high-priority update with potential exploitability.
For Windows users, the lesson is familiar: browser updates are not optional reading. Chrome’s silent auto-update is reliable but not instant, and every hour you delay relaunching the browser is an hour an attacker could target that vulnerability. Restart Chrome today. For IT teams, integrate this CVE into your vulnerability management dashboard and trigger a scan cycle. The threat surface is broad, but the fix is a single click—or a single deployment—away.