Google released Chrome 150.0.7871.128 for Windows and Linux on July 16, 2026, alongside a corresponding macOS build, patching a critical use-after-free vulnerability in the browser’s GPU component. The flaw, identified as CVE-2026-15900, headlines a bundle of seven security fixes—three rated critical and four high—that demand immediate attention from both everyday users and IT administrators.

What’s Inside Chrome 150.0.7871.128

The update fixes seven distinct vulnerabilities. The most severe, CVE-2026-15900, describes a use-after-free condition in Chromium’s graphics processing stack. Google’s bulletin classifies it as critical and notes it was reported internally on June 14. Two other critical use-after-free issues—CVE-2026-15899 in CameraCapture and CVE-2026-15901 in Network—are also resolved. The remaining four high‑severity flaws include three more use‑after‑free bugs (CVE-2026-15902 in Cast, CVE-2026-15904 in Ozone, CVE-2026-15905 in Aura) and an out‑of‑bounds read and write in the V8 JavaScript engine, tracked as CVE-2026-15903.

For Windows users, the fixed build is 150.0.7871.128; macOS users should receive 150.0.7871.129. The version string reflects the two‑number packaging Google uses to distinguish platform builds. Google’s Chrome release bulletin lists all seven issues, though technical details remain restricted while the patch propagates.

CERT‑FR, the French national cybersecurity agency, confirmed the affected versions in a July 17 advisory: any Chrome release earlier than the patched builds remains vulnerable. Notably, the National Vulnerability Database (NVD) currently displays “CVE ID Not Found” for CVE‑2026-15900. That is typical—CVE records can be reserved before NVD ingestion and enrichment—and does not indicate the flaw is unconfirmed or the patch unnecessary.

Why You Should Update Immediately

The GPU label can cause confusion. This is not a driver flaw from Nvidia, AMD, or Intel. Instead, it targets Chromium’s own process that manages hardware‑accelerated compositing, WebGL, video decode, and canvas rendering. A use‑after‑free bug in this code could allow crafted web content to corrupt memory, potentially leading to code execution—though the sandbox may limit the impact. Google has not disclosed whether exploitation requires a specific interaction or if it has been seen in the wild, but the critical severity and the inclusion of multiple memory‑safety fixes in the same release make swift patching essential.

For home users and anyone with Chrome installed, the browser normally fetches updates in the background. However, the new build only takes effect after a restart. Navigating to chrome://settings/help or choosing Help > About Google Chrome from the menu forces an immediate check. The version number displayed should begin with 150.0.7871.128 on Windows. If an update is available, Chrome downloads it and prompts for a relaunch.

In enterprise settings, the same principle applies—but with a broader scope. Administrators must consider every Chromium‑based browser in the fleet. Chrome’s bulletin does not automatically cover Microsoft Edge, Brave, Opera, Vivaldi, or Electron‑based apps, each of which relies on its own vendor’s release cadence. A Chrome‑focused alert should trigger a quick inventory: which Chromium browsers are installed, and which have shipped an equivalent security update? For Edge, that means checking Microsoft’s own security guidance; no correlation can be drawn from Chrome’s release alone.

The Missing NVD Entry — When Vendor Sources Lead

Vulnerability‑management teams often rely on NVD feeds to generate dashboards, tickets, and remediation rules. A blank NVD page can therefore disrupt automated workflows. But NVD is an analysis and aggregation source, not the authoritative release gate. Google’s release bulletin and the CVE record itself (confirmed by CERT‑FR) already provide the facts required to act.

CERT‑FR’s advisory lists the affected version threshold and points to the Google bulletin. Technology news sites similarly record the release. These signals are sufficient to approve and schedule the patch in existing endpoint management tools, such as Microsoft Intune, PDQ Deploy, or Chocolatey. Vulnerability managers should record the vendor’s fixed build, the publication date, and the limited description (“critical use‑after‑free in GPU”) without inventing a CVSS score or asserting a sandbox escape. Google has not made those claims publicly.

This episode reinforces why a vendor‑first patching strategy matters. Browser updates are the most direct way to fix browser vulnerabilities. Delaying until NVD enrichment arrives—which often takes a few days—only extends the exposure window. Organizations that have configured their risk‑acceptance rules to require a completed NVD entry might want to add an exception for vendor‑issued updates that meet a severity threshold.

How We Got Here: GPU Vulnerabilities and Use‑After‑Free

Chromium’s multi‑process architecture places graphics tasks in a dedicated GPU process to isolate them from web content and the browser’s main thread. This boundary is a high‑value security layer, but the code that runs inside it is complex and written in C++. Use‑after‑free bugs occur when a program continues to reference memory after it has been freed; an attacker who can control the reuse of that memory may corrupt the heap to redirect execution.

GPU processes are particularly attractive targets because they handle sensitive data like framebuffers, shader programs, and decoded video frames. While sandboxing constrains the damage, a skilled attacker might chain a use‑after‑free in the GPU process with another flaw to escape the sandbox or read sensitive data from other tabs. Google’s decision to rate this issue critical, even without a public technical write‑up, signals that the bug’s exploitation potential is significant.

The lag between CVE assignment and NVD publication is a perennial friction point. A CVE Numbering Authority (CNA) assigns the identifier and reserves the record. NVD then ingests, validates, and enriches the data—adding affected product mappings, CVSS scores, and reference links. This pipeline can take several business days, especially for high‑profile browser updates that arrive with multiple CVEs. During that gap, the only operational sources are the vendor’s release notes and any secondary advisories from national CSIRTs, which are available now for CVE‑2026-15900.

Steps to Secure Your System

For individual Windows users:
1. Open Chrome and click the three‑dot menu, then Help > About Google Chrome.
2. Chrome checks for updates. If a new version is found, it downloads and displays a “Relaunch” button.
3. Save any work and relaunch the browser.
4. Confirm the version reads 150.0.7871.128 (Windows).

For IT administrators:
- Push the Chrome Stable MSI (or equivalent) to all managed Windows endpoints through your software distribution tool.
- Force a browser restart within your maintenance window. Stale Chrome processes can keep the old binary in memory even after the installer runs.
- Validate the deployed version using your endpoint‑management console or a simple inventory script. Do not assume success from the installer exit code alone.
- Check all other Chromium‑based applications—Edge, Brave, Opera, Electron‑based line‑of‑business apps—and track their own vendor advisories. Microsoft Edge, for instance, typically integrates Chromium patches but on its own schedule.
- Record the CVE in your risk register with the vendor status (“fixed in 150.0.7871.128”) and note that NVD enrichment is pending. If your policy requires a CVSS score, assign a placeholder of “critical (vendor)” until NVD publishes one, but do not let that delay deployment.

A word on workarounds: Disabling hardware acceleration in Chrome’s settings may reduce exposure to some GPU code paths, but it is not a reliable mitigation for this specific vulnerability. Performance and video playback quality will also degrade. The only durable fix is the patched browser build.

Looking Ahead

The NVD page for CVE‑2026-15900 will likely be populated within days as the enrichment pipeline catches up. Meanwhile, other Chromium‑reliant vendors are expected to incorporate the same fix and issue their own advisories. For Windows shops where Edge is the default browser, monitoring Microsoft’s Security Update Guide and configuring automatic browser updates will be the next essential step.

More broadly, this update is a reminder that browser patches can no longer be treated as routine IT hygiene. When a single update fixes three critical memory‑safety flaws, the race between attackers and defenders sharpens. The GPU process, in particular, has seen a steady stream of high‑severity discoveries over the years, and its attack surface grows as web applications demand richer graphics. Keeping Chrome—and every Chromium descendant—on a strict, restart‑enforced patch cycle is one of the most effective security measures a Windows user or administrator can take.