Google released Chrome 150.0.7871.128 for Windows on July 16, closing a high-severity use-after-free flaw in the Cast component tracked as CVE-2026-15902. The same update patches three critical vulnerabilities in CameraCapture, GPU, and Network, along with three other high-severity issues. If you haven’t restarted Chrome in the past 48 hours, your browser is almost certainly still vulnerable.
Seven Security Fixes in One Update
The Stable Channel update for desktop bundles seven vulnerability fixes, the most severe of which could allow an attacker to corrupt memory and potentially execute arbitrary code on a targeted machine. Google’s Chrome Releases bulletin lists the following:
- CVE-2026-15902: Use after free in Cast (High), reported internally on June 10.
- Critical: Use-after-free bugs in CameraCapture, GPU, and Network.
- High: Issues in V8 (Chrome’s JavaScript engine), Ozone (the Wayland-related abstraction layer), and Aura (the cross-platform windowing system).
No exploit activity has been observed in the wild for any of these flaws, according to Google’s standard disclosure, but the nature of use-after-free defects in high-privilege browser processes makes them reliably exploitable once reverse-engineered. The Cast vulnerability is especially concerning because the component interacts with local network devices — Chromecast hardware, smart displays, conference-room screens — potentially expanding the attack surface beyond a simple malicious webpage.
Google restricted technical details and the internal Chromium bug tracker entry, a standard practice that gives users time to patch before attackers can dissect the fix. CERT-FR, the French government cybersecurity agency, has also published an advisory corroborating the seven CVEs and urging immediate updates for Chrome on Windows and Linux.
What the Cast Vulnerability Means for You
Use-after-free in memory-unsafe languages like C++ can be exploited to achieve code execution, information leaks, or denial-of-service crashes. In Chrome, the Cast component handles device discovery and communication over the local network — it’s not just the “Cast” button in the toolbar. Even if you never stream content from your browser, the Cast stack remains active by default.
The practical risk for home users: a specially crafted website could try to exploit the Cast bug, though no such attack has been detected yet. More importantly, the three critical CameraCapture, GPU, and Network flaws are more likely to be triggered by everyday browsing — a page with an embedded camera feed, a WebGL animation, or a complex network request could be enough. You don’t need to own a Chromecast to be at risk.
Windows users can check their Chrome version now: open the three-dot menu, click Help > About Google Chrome. The browser will immediately look for updates and install version 150.0.7871.128 if available. A relaunch is required to complete the update; if you see a “Relaunch” button, you’re still running the vulnerable build until you click it.
For IT Administrators: A Patch That Can’t Wait
Managed environments face a larger challenge. Chrome installations on shared workstations, kiosks, persistent virtual desktops, and meeting-room PCs are often left running for weeks without restart. A quick window to the About page won’t be triggered on those machines.
Your remediation target is unambiguous: all Windows endpoints must run Chrome 150.0.7871.128 or later. Gather version data from endpoint management platforms (Intune, SCCM, Workspace ONE, etc.) or software inventory tools, and create a query that flags any build older than the target. Don’t wait for vulnerability scanners to report the CVE — NVD enrichment is lagging (more on that below), so scanner results may be incomplete for days.
After deploying the update, force a browser restart. Chrome’s background updater can take hours or days to roll out; under group policy or enterprise management, you can trigger an immediate update and prompt users, or even force-restart Chrome silently if your change control allows. For kiosks and digital signage, schedule the update during a maintenance window and verify the new version on reboot.
This is not just a Chrome update. CVE-2026-15902 is a Chromium vulnerability, which means other Chromium-based browsers — Microsoft Edge, Brave, Opera, Vivaldi, Electron apps, and WebView2 Runtime — need their own separate patches. Installing Chrome 150.0.7871.128 does not protect Edge, and updating Edge does not protect Chrome. Check each vendor’s release notes and apply updates on their cadence. Microsoft Edge, deeply embedded in Windows workflows, will get its own fix via Windows Update or its own channel; monitor the MSRC advisory for the corresponding Edge CVE.
Disabling Cast via enterprise policy (e.g., EnableMediaRouter set to false) reduces feature exposure but is not a substitute for patching. Google’s advisory does not confirm that the policy removes the vulnerable code path entirely. And BYOD machines, contractor laptops, and unmanaged systems rarely enforce such policies anyway.
Why NVD Shows 'CVE ID Not Found' (and Why You Shouldn't Wait)
If you pull up the NIST National Vulnerability Database entry for CVE-2026-15902 right now, you’ll see a stark message: “CVE ID Not Found.” That’s caused by a timing lag in NVD’s enrichment process — the CVE has been assigned by Google (the CVE Numbering Authority in this case) but hasn’t yet completed the full NVD workflow that adds product mappings, CVSS scores, and textual descriptions.
Automated vulnerability scanners and CMDB tools that rely exclusively on NVD or downstream feeds may miss this CVE entirely for several days. This creates a dangerous blind spot: a system running Chrome 149.x with a critical Cast flaw will appear clean until NVD catches up.
Google’s Chrome Releases channel — the company’s official security bulletin — remains the authoritative source when it comes to a Chrome patch. The CVE exists, it was patched on July 16, and CERT-FR’s independent advisory confirms the details. Document the NVD lag in your internal records and proceed with remediation based on the vendor fix, not the database’s enrichment status.
How We Got Here: Chromium’s Cast Component Under Fire
Chromium’s Cast component is a long-running feature that started as a simple screen-mirroring tool and grew into a full device-discovery and media-routing stack. It uses protocols like mDNS and DIAL to find smart TVs, streaming sticks, and presentation displays on the local network. Because it operates at a system level within the browser — launching sockets, processing device responses — it’s an attractive target for memory-corruption researchers.
Use-after-free bugs are a recurring theme in Chromium. The engine is written largely in C++, and while Google invests heavily in sandboxing, site isolation, and memory safety scanners, new use-after-free flaws are discovered almost every month. The Cast component’s network-facing posture and long uptime on kiosks and living-room devices make a high-severity rating warranted; Google rarely assigns “high” without concrete evidence that exploitation is plausible.
This isn’t the first Cast-related scare. In 2022, a similar use-after-free in Cast (CVE-2022-2852) was exploited in the wild before patching. The memory of that incident, along with the broad install base of Chrome 150, likely drove the internal June 10 report and the swift fix included in the July 16 Stable Channel push.
Your Action Plan: Steps to Take Now
For individual Windows users:
- Open Chrome’s menu (three dots), click Help > About Google Chrome.
- Wait for the version check to complete. If an update is available, it will install automatically.
- Click “Relaunch” to finish applying Chrome 150.0.7871.128.
- Confirm the version number on the About page after relaunch.
- Avoid using Chrome until the relaunch is complete.
For IT teams and administrators:
- Deploy Chrome 150.0.7871.128 or later through your standard patch management system (SCCM, Intune, Group Policy, Workspace ONE, etc.).
- Query all Windows endpoints for Chrome versions below 150.0.7871.128. Include rarely restarted machines: kiosks, digital signage, shared workstations, VDI sessions.
- Force a Chrome restart after deployment. If users are reluctant, inform them of the critical security implications.
- Update Microsoft Edge separately — do not assume Edge is patched. Check the MSRC or Edge release notes for the corresponding CVE.
- Inventory all Chromium-based software: Brave, Opera, Vivaldi, Electron apps, WebView2 Runtime. Update each according to its vendor’s schedule.
- Document CVE-2026-15902 as vendor-fixed in your vulnerability management tool, even if NVD enrichment is pending. Note the NVD lag.
- For network-level hardening: review access policies that allow Chrome Cast on guest Wi-Fi or untrusted VLANs, especially in conference-room settings.
What’s Next
NVD enrichment will eventually populate the CVE-2026-15902 record with a CVSS score, affected product configurations, and references to the Chrome issue tracker. Microsoft will issue an Edge update that includes the Chromium fix, likely within a day or two. Other Chromium-based browsers will follow their own release cycles.
The bigger lesson from this release is that a vendor’s security bulletin must drive patching decisions, not the presence or absence of a database entry. Chrome 150.0.7871.128 is the minimum safe version for Windows right now — and waiting any longer leaves your systems exposed to a set of critical and high-severity bugs that are already publicly known, even if not yet exploited in the wild.