Google has pushed out a critical update for its Chrome browser on Windows, fixing a high-severity information-disclosure vulnerability in the ANGLE graphics layer. The patched version, 150.0.7871.46, began rolling out earlier today, and all Windows users should confirm they are running it—or a later build—as soon as possible.

The flaw: what CVE-2026-14402 really means

The vulnerability, cataloged as CVE-2026-14402, lives inside ANGLE (Almost Native Graphics Layer Engine). ANGLE is the translation layer that allows Chrome to run WebGL and other GPU-accelerated content across different operating systems by converting OpenGL ES calls to the platform’s native graphics API—on Windows, that’s Direct3D. Because ANGLE handles buffer allocations, shader compilation, and memory management in a complex multi-process environment, a bug here can expose raw memory contents that ought to be off-limits.

Google has classified the bug as high severity, the second-most serious tier in Chrome’s rating system. Information-disclosure flaws in a graphics compositor are particularly dangerous because they can bypass the browser’s usual site-isolation boundaries. An attacker who lures a victim to a malicious webpage could craft a WebGL payload that reads sensitive data from other parts of the browser’s memory—potentially revealing session cookies, authentication tokens, or even system memory mapped to the GPU.

Crucially, this vulnerability affects only the Windows version of Chrome. Mac, Linux, and Android builds process graphics through different paths (Metal, GLX/Vulkan, and OpenGL ES respectively) and are not listed as impacted in the advisory.

What you need to do—immediately

Chrome updates itself in the background by default, but the process is not instantaneous. The browser checks for new versions roughly every five hours and applies them the next time you restart. For a high-severity fix like this one, waiting can be risky.

For everyday users: Open Chrome, click the three-dot menu in the top-right corner, then go to “Help” > “About Google Chrome.” The page will automatically check for updates and begin downloading version 150.0.7871.46. Once installed, click “Relaunch” to finish. If you see any version number starting with “150.0.7871.” and ending with “46” or higher, you are protected.

For IT administrators and managed environments: Push the update through your patch management system immediately. Chrome’s MSI enterprise installer for version 150.0.7871.46 is available from the usual distribution channels. Group Policy templates have not changed, so no policy adjustments are needed—just deploy the latest binaries. If you rely on Chrome’s Legacy Browser Support to render older intranet apps, test briefly: ANGLE changes can occasionally affect shader-heavy WebGL content, though this patch is narrowly scoped to the CVE.

For developers and power users: If you have disabled automatic updates or use a portable build, download the standalone installer from google.com/chrome. If you embed Chromium in your own application via CEF or Electron, check your base version; if it predates 150.0.7871.46 and you build with ANGLE on Windows, you may need to incorporate the upstream commit. Check the Chromium security page for the specific patch once it lands in the public repository.

How the update found its way to your desktop

Chrome 150 entered the stable channel on May 27, 2026, bringing a smorgasbord of developer-facing features—CSS anchor positioning, the Navigation API, and improved WebGPU support. The .7871 branch appeared first as a minor release with stability fixes. Then, on May 29, the security team incremented the build to .46 and pushed a silent background update. Google did not announce the CVE at that moment, following its standard practice of withholding details until a fix reaches a critical mass of users.

This morning, the Chrome Releases blog disclosed CVE-2026-14402 along with a brief description: “Information disclosure in ANGLE.” That terse language is typical; Google rarely elaborates on high-severity bugs until they are fully patched and third-party projects have had time to backport the fix. The Chromium bug tracker entry remains hidden from the public, viewable only to certain trusted contributors.

Why ANGLE bugs are a recurring headache

ANGLE is a sprawling C++ codebase, originally developed by Google to bring WebGL to Windows without depending on the slow, often-buggy OpenGL drivers shipped by GPU vendors. Today it also translates Vulkan backends on some platforms. Its complexity—thousands of permutations of API calls, buffer types, and texture formats—makes it fertile ground for memory corruption and information-leak bugs. Between 2021 and 2025, ANGLE accounted for roughly 12% of all high- or critical-severity Chrome CVEs, according to an analysis by the Chromium security team.

Information-disclosure bugs in ANGLE often follow a pattern: an out-of-bounds read occurs when a shader references a texture coordinate that maps beyond the allocated buffer. Under normal circumstances, this would crash the shader compiler or return a black pixel. But if ANGLE’s memory allocation is misaligned due to a race condition or a mishandled D3D resource, the GPU can fetch data from a neighboring allocation that contains secrets from a different origin.

Google has been investing in mitigations: out-of-process GPU command isolation (Win32k lockdown), CFG (Control Flow Guard) enforcement in the GPU process, and a new “ANGLE security review” that all code changes must pass before landing. Those defenses don’t eliminate flaws like CVE-2026-14402, but they do raise the cost of turning an information leak into code execution.

What happens if you don’t update

Running an unpatched Chrome on Windows means every tab you open could be a potential attack surface. Exploitation does not require the victim to click a download or approve a permission; simply rendering a WebGL ad or a crafted image file could trigger the bug. While there are no public reports of active exploitation—Google’s advisory states it “is aware of reports that an exploit for CVE-2026-14402 exists in the wild” only if true—the company’s decision to ship an out-of-cycle micro-patch (the jump from .41 to .46 within the 7871 branch) suggests the risk is real.

Security researchers often race to analyze publicly disclosed patches to develop proof-of-concept code. Within days, those PoCs sometimes filter into exploit kits. The window between a patch becoming available and attacks starting is measured in hours, not weeks.

A quick historical parallel

This is not the first time a Chrome update has been driven by a graphics-layer vulnerability. In February 2025, CVE-2025-0294 forced a similar scramble: a high-severity buffer overflow in ANGLE’s metal render path on macOS. Before that, CVE-2024-7971, a type confusion in the V8 JavaScript engine, led to an emergency release. Each incident reinforces the reality that modern browsers are as complex as operating systems; their attack surfaces include everything from JavaScript just-in-time compilers to GPU shader translators.

Will this affect other Chromium-based browsers?

Microsoft Edge, Brave, Opera, Vivaldi, and other Chromium-derived browsers typically release their own patches within 48 hours of an upstream fix. Edge, in particular, integrates its own Super Duper Secure Mode enhancements that can alter how ANGLE paths are used, but the underlying CVE still applies. Check each browser’s release notes or built-in update mechanism to confirm you have a build that incorporates Chromium 150.0.7871.46 or later.

The bigger picture for Windows users

Microsoft has been tightening Windows’ graphics stack security for years, introducing features like Hardware-enforced Stack Protection and gradually deprecating legacy GPU drivers. Yet browsers remain the most exposed vector because they must render untrusted content with high performance. Information-disclosure bugs in components like ANGLE chip away at the browser’s sandbox, potentially giving attackers a foot in the door for more damaging exploits.

For everyday Windows users, the takeaway is simple: update Chrome now. For IT pros, it’s a reminder that a robust patch strategy can’t just cover OS updates—it must include fast-tracking browser zero-days. And for the Chromium community, CVE-2026-14402 is another data point in the long-running effort to make GPU rendering safe by default.

What to watch next

Google has not yet released a technical deep-dive on the flaw. Once the Chromium bug tracker entry becomes public, expect details on whether the bug was discovered internally, through a third-party report, or as part of a continued pattern of ANGLE information-disclosure weaknesses. If the CVE was credited to an external researcher, their write-up often follows within a week. Until then, the best defense is the simplest: ensure that “About Google Chrome” shows a version number that begins with 150.0.7871.46 or higher.