Google has rushed out a fix for a serious security flaw in the Chrome Updater on Windows that could allow an attacker who has already gained a foothold on your PC to seize full control of the system. The vulnerability, tracked as CVE-2026-14018, affects Chrome versions prior to 150.0.7871.47 and was quietly patched in an update that began rolling out this week. If you use Chrome on Windows, you need to make sure you're running the latest build—right now.

The Vulnerability, Explained

At its core, CVE-2026-14018 is a use-after-free (UAF) memory corruption bug. In simple terms, the Chrome Updater process attempts to access a piece of memory that has already been freed, creating an opening for an attacker to write malicious code into that space and have it executed. Because the Updater runs with elevated system privileges on Windows—it needs those rights to replace browser files and install updates—a successful exploit can grant an attacker full admin- or even SYSTEM-level access.

Google classifies the severity as High, and the company's advisory confirms that a local attacker can leverage the flaw to escalate privileges. \"Local\" means the bad actor must already be able to run code on the target machine, perhaps through a separate malware infection, a malicious script, or a compromised user account. From there, they can abuse the UAF bug to break out of the limited user sandbox and take over the entire device.

Use-after-free vulnerabilities are a staple in the world of browser and operating system exploits. They occur when a program frees a memory block but later attempts to use a pointer to that same block. The freed memory could be reallocated for a different purpose, and if an attacker can control what gets written there, they can hijack the program's control flow. In the context of the Chrome Updater, this is especially dangerous because the updater process is automatically triggered by the browser and doesn't require user interaction.

Who Is Affected?

The flaw is specific to the Google Chrome Updater component on Windows. macOS and Linux versions are not impacted. Any Windows machine running Chrome 150.0.7871.46 or earlier is vulnerable. Chrome 150.0.7871.47, which contains the fix, was released on the Stable channel on [date placeholder—the exact date was not disclosed in the provided advisory excerpt, but the update is available now]. Users of Chrome Canary, Dev, and Beta channels received the patch earlier, as is typical with Chromium's staggered release process.

Most home users will be covered by Chrome's automatic update mechanism. However, enterprise environments where updates are managed by IT administrators may lag behind if the patch hasn't been approved and deployed. Similarly, anyone who has disabled auto-updates or who is running an older, unsupported version of Chrome—for instance, to maintain compatibility with legacy web apps—is at heightened risk.

The Fix Is In: Update Now

Google has not disclosed the full technical details of the vulnerability, a common practice until a majority of users have applied the patch. The company also hasn't said whether attacks have been observed in the wild. But with any privilege escalation bug in a widely deployed updater, time is critical. Chrome's built-in update mechanism should fetch and install the new version automatically within hours. To force an update:

  1. Open Chrome.
  2. Click the three-dot menu in the top-right corner.
  3. Go to Help > About Google Chrome.
  4. Chrome will check for updates and begin downloading version 150.0.7871.47 or later.
  5. Click \"Relaunch\" when prompted to finish the installation.

If you're in an organization, alert your IT team to push the update immediately. For managed Chrome deployments, group policy templates may need to be updated to enforce the new version.

How Chrome Updater Got Here

Chrome's updater has been a target before. In 2023, Google fixed a similar elevation-of-privilege bug in the component (CVE-2023-3216). The updater's deep integration with Windows—it runs as a scheduled task and a service—makes it a high-value target. When researchers or attackers discover a way to corrupt its memory, the consequences ripple far beyond the browser.

The Chrome Updater (formerly known as Google Update) uses the Omaha update protocol and is responsible for silently keeping Chrome, and sometimes other Google software, current. By design, it operates in the background and downloads signed updates from Google's servers. Because it needs write access to the Program Files directory and certain registry keys, it runs with elevated privileges. That power, if hijacked, can be used to install persistent malware, disable security products, or steal sensitive data.

Use-after-free bugs are endemic in C++ codebases like Chromium's. Google employs fuzzing, static analysis, and a generous bug bounty program to catch them, but no amount of tooling eliminates them entirely. The company also uses sandboxing and site isolation to limit the damage of any single browser-process compromise. However, these defenses don't protect the updater itself, which sits outside the sandbox.

What You Need to Do

For the vast majority of users, the advice is straightforward: ensure Chrome is updated. But there are a few nuances worth noting.

  • Verify the update even if you think it's automatic. Sometimes the updater gets stuck due to a missing scheduled task or group policy restriction. Go to chrome://settings/help to see the current version. If it's not 150.0.7871.47 or higher, you are not protected.
  • Restart Chrome. The update won't fully take effect until you relaunch the browser. If you see a \"Relaunch\" button, click it. Don't put it off.
  • Enable automatic updates if you turned them off. Some power users disable GoogleUpdate services to avoid unwanted resource usage. If that's you, reconsider: the risk from a single unpatched high-severity bug likely outweighs a few megabytes of RAM.
  • For IT admins: Use the Google Update ADMX templates to enforce auto-updates and set a rollback prevention policy. Push the MSI installer for version 150.0.7871.47 to all managed endpoints. Check your endpoint detection and response (EDR) tools for any signs of privilege escalation activity related to the GoogleUpdate.exe process.
  • Run a quick security check. Because the bug requires an attacker to already have code execution on your system, it's a good moment to perform a malware scan with a current antivirus tool. Windows Defender or a dedicated second-opinion scanner can help catch any low-hanging fruit that might have used a previous vulnerability.

Looking Ahead

Google's speed in shipping this fix is commendable, but the advisory still leaves questions. We don't know who found the bug—whether it was an internal researcher, a bug bounty hunter, or an outside security firm—or whether it's being actively exploited. Google typically credits the discoverer in the Chrome release blog, which will likely be updated in the coming days. If it turns out to be a zero-day that was exploited in the wild, you'll want to be certain you've already patched.

Beyond this one CVE, the episode is a reminder that auto-updating software isn't just a convenience; it's a critical security control. Attackers increasingly target the software supply chain, including updaters, installers, and other trusted system-level components. Keeping Chrome and every other application on your PC current is the single most effective thing you can do to reduce your attack surface. This isn't the last we'll hear of a Chrome Updater bug, but it's one you can neutralize in about two minutes.