Google has released an emergency update for its Chrome browser to patch a critical use‑after‑free vulnerability, catalogued as CVE‑2026‑13774, that could let a malicious browser extension execute arbitrary code on a victim’s machine. The flaw, published by the National Vulnerability Database on June 30, 2026, affects all Chrome installations prior to version 150.0.7871.47 on Windows, macOS, and Linux.

The patch and the flaw

CVE‑2026‑13774 is a use‑after‑free (UAF) memory bug ranked as critical — the highest severity level. In a UAF, the program frees a chunk of memory but later writes to or reads from that same address. That leftover pointer, called a dangling pointer, can let an attacker corrupt data, crash the browser, or — most dangerously — inject and run malicious code with the same privileges as the user.

Here, the National Vulnerability Database’s description explicitly calls out the attack vector: “via malicious extensions.” An extension crafted to exploit this bug could break out of Chrome’s sandbox, gaining a foothold on the host operating system. Because browser extensions often request broad permissions (reading all website data, accessing cookies, or even manipulating tabs), a weaponized extension could silently leverage those privileges once the UAF gives it code execution.

Google delivered the fix in Chrome version 150.0.7871.47 for Windows, macOS, and Linux. The update began rolling out before the NVD publication date of June 30; its modification two days later, on July 2, suggests additional metadata or references were added to the entry. Users who have auto‑update enabled should already be patched, but the nature of the flaw warrants a manual verification step.

What’s at stake for you

Home users

If you use Chrome for everyday browsing — email, banking, social media — your primary risk is that a rogue extension already installed on your system could exploit CVE‑2026‑13774 to steal credentials, install malware, or encrypt your files for ransom. Even if you’re careful about which extensions you add, a once‑legitimate extension that gets sold or hijacked downstream could turn malicious overnight. That’s why the Chrome Web Store’s vetting process, though improved, isn’t foolproof.

Because the bug lives in the core browser engine, simply disabling JavaScript on untrusted sites won’t shield you; the extension process runs with elevated access. The good news: there’s no evidence yet that this vulnerability has been chained with a universal cross‑site scripting bug, so an attacker still needs to trick you into installing a bad extension. But once installed, the extension can act without further interaction.

IT administrators and enterprises

For organizations that manage fleets of Chrome installations, CVE‑2026‑13774 is a patching priority. A single unpatched endpoint running an unvetted extension could give attackers a beachhead inside the corporate network. The built‑in Group Policy template for Chrome allows you to enforce a minimum version; set it to 150.0.7871.47 to block older instances from connecting.

Companies that use Chrome’s Legacy Browser Support or headless Chrome for testing should verify those deployments as well — especially CI/CD pipelines that may be pinned to an older stable release. If your security team maintains a CPE (Common Platform Enumeration) inventory for asset tracking, update it to reflect the fixed version so vulnerability scanners stop flagging false positives.

Developers

Web extension developers should audit their code for any pattern that could inadvertently trigger a use‑after‑free, even if they aren’t malicious. Chrome’s site isolation and PartitionAlloc improvements over the years have made UAFs harder to exploit, but this CVE shows that the attack surface created by extensions remains large. Google’s extension documentation recommends that developers never access freed memory; using smart pointers and strict static analysis can catch such mistakes early.

How we got here

Chrome’s security team has a long‑standing program of internal fuzzing and external bug bounty reports. Use‑after‑free flaws are among the most prevalent memory‑safety bugs in large C++ codebases like Chromium, despite years of hardening. In fact, according to Google’s own Project Zero, UAFs have accounted for a significant chunk of all in‑the‑wild Chrome exploits over the last decade.

CVE‑2026‑13774’s timeline remains partly opaque. The NVD entry doesn’t list a CVE assignment date or the researcher who discovered it. The gap between the patch rollout and the NVD publication suggests coordinated disclosure: Google likely fixed the bug, waited for enough users to update, then allowed the entry to go public. The July 2 modification may indicate a reference to a Chromium bug report or a security advisory.

Chrome 150 — the milestone containing the fix — entered stable channel on June 24, 2026, according to the Chrome Releases blog. That blog post didn’t initially mention the CVE; Google usually withholds vulnerability details until a majority of users have received the update. The NVD publication on June 30 pulled the curtain back, confirming the severity.

This isn’t the first critical extension‑related Chrome bug. In 2024, CVE‑2024‑10537 allowed a specially crafted extension to bypass the Content Security Policy. The Chrome team has since tightened extension permissions and introduced the “extensions menu” to reduce persistence, but each new version adds features that can introduce new memory‑management errors.

What to do now

  1. Check your current Chrome version. Click the three‑dot menu → Help → About Google Chrome. The browser will automatically check for updates and begin installing them. If the version number shown is below 150.0.7871.47, wait for the download to complete and click Relaunch.
  2. Verify auto‑update is on. On a managed device, your IT department controls updates; on a personal machine, Chrome updates itself by default. To confirm, type chrome://settings/help in the address bar and ensure no policy is blocking updates.
  3. Audit your extensions. Go to chrome://extensions and remove anything you don’t recognize or no longer need. Pay attention to extensions that request “Read and change all your data on all websites” — that broad permission is a red flag unless the extension’s core function demands it.
  4. For enterprise admins: Update your master preferences file or Group Policy to enforce `