Google has released Chrome 150.0.7871.47 to the Stable channel, and the headline fix is CVE-2026-13825—a high-severity memory bug in the Dawn graphics library that could enable remote attacks against Windows, macOS, and Linux desktops. All users should apply the patch without delay.
What’s in the Chrome 150.0.7871.47 Patch
The update closes a single security vulnerability that Google rates as high severity. Identified as CVE-2026-13825, it is an uninitialized-use flaw in Dawn, the cross-platform WebGPU implementation that Chrome uses to render complex 2D and 3D graphics. When software fails to initialize a memory buffer before reading from it, an attacker can manipulate what data resides there, potentially hijacking the program’s flow.
Google’s advisory provides scant technical detail, a common practice while the update is rolling out to give users time to patch. However, uninitialized memory vulnerabilities in graphics libraries are a known attack vector: a malicious webpage can craft WebGPU calls that trigger the bug, turning a single errant memory access into full code execution. Because Chrome runs with the user’s privileges on Windows, a successful exploit could install malware, steal sensitive files, or turn the PC into a botnet node—all with no user interaction beyond visiting a booby-trapped site.
Desktop platforms share the same Dawn codebase, so the patch applies to Chrome on Windows, macOS, and Linux. Android and iOS Chrome variants are unaffected, as they use different graphics stacks. The updated build number—150.0.7871.47—supersedes all earlier 150.x releases; users stuck on version 150.0.7871.45 or older are vulnerable.
Why This Update Matters for Your PC
For home users, the risk is straightforward: until you update Chrome, any website you visit could be weaponized. The bug sits in a core component that processes WebGPU content, and while WebGPU uptake is still growing, popular web apps and games increasingly rely on it for performance. An attacker need only serve an ad or embed malicious graphics on a legitimate page to target millions of unpatched browsers.
Because Chrome’s sandbox is designed to contain such flaws, a secondary exploit is often required to break out. Yet Google’s high-severity rating implies that the vulnerability likely bypasses some sandbox protections or offers a reliable path to compromise the renderer process. Combined with another flaw—say, a kernel bug—it could escalate to a full system takeover.
For IT administrators, this is a drop-everything update. Managed fleets that use Chrome across hundreds of workstations are sitting ducks if auto-update is lagging. A single unpatched device browsing a compromised internal wiki or external site is enough for an attacker to gain a foothold. Deploy the MSI installer through Group Policy or your software management platform immediately, and verify that all endpoints report version 150.0.7871.47 or higher. Chrome’s enterprise release notes confirm that no policy changes are needed; this is a straightforward patch with no behavioral side effects.
Developers working with WebGPU should check their own applications for any patterns that might trigger uninitialized memory in Dawn’s shader compilation or buffer handling. While the exact crash signature isn’t public, the patch offers a chance to reinforce good memory hygiene: always initialize buffers and validate WebGPU API calls against suspicious input. The Electron framework, which embeds Chromium, will likely ship its own backport; maintainers of Electron apps should watch for an upstream release and update their dependencies promptly.
The Road to This Vulnerability
Uninitialized-use bugs have been a staple of Chrome’s vulnerability database for years. The complexity of the graphics pipeline—spanning shader translation, memory management, and cross-platform abstraction—makes Dawn a particularly juicy target. Google introduced Dawn as part of the WebGPU specification push in Chrome 94, aiming to give web apps low-level GPU access akin to DirectX or Vulkan. Since then, security researchers have steadily peeled apart its internals, uncovering a string of high-severity issues.
The CVE-2026-13825 fix arrives in a routine Stable channel update, but Google’s omission of a bug bounty payout or external credit often signals internal discovery. The Chrome security team found the flaw during its own auditing, a practice that has intensified as WebGPU gains adoption. This internal flagging does not necessarily mean the bug was known to attackers, but it also doesn’t preclude it; Google seldom comments on in-the-wild exploitation for individual CVEs.
Prior Chrome 150 builds—150.0.7871.42 through 150.0.7871.45—were released over the past several weeks, each containing minor fixes and feature tweaks. The jump to .47 indicates a single targeted patch rather than a broader cumulative update, a typical pattern for high-severity fixes. Microsoft’s Edge browser, which shares the Chromium engine, will absorb this fix in its next update; Edge users can expect a matching release within days.
How to Update Chrome Right Now
Chrome’s update mechanism is simple, but the urgency demands a manual nudge:
- Open Chrome and click the three-dot menu in the top-right corner.
- Go to Help > About Google Chrome.
- Chrome will automatically check for updates and start downloading version 150.0.7871.47.
- Once the download finishes, click Relaunch to complete the installation.
If the updater gets stuck or you’re behind a corporate firewall, you can download the offline installer directly from Google’s Chrome website. For enterprise admins, the MSI and PKG installers are available on the Chrome Enterprise download page. It’s safe to install over any existing 150.x version; your settings, bookmarks, and extensions will be preserved.
After updating, verify the version number by revisiting chrome://settings/help. You should see “Google Chrome is up to date” with version 150.0.7871.47 (Official Build) listed. Simply closing Chrome and reopening it won’t trigger an update; you must use the About dialog or wait for the background updater to kick in, which can take hours or days.
For those managing multiple browsers, note that Brave, Vivaldi, Opera, and Edge all rely on Chromium and will receive this fix on their own release cadences. Check each browser’s update channel to ensure you’re protected.
Keeping an Eye on Chrome Security
CVE-2026-13825 is a reminder that even mature software carries deep, exploitable cracks. Google’s quick patch cadence—often releasing fixes within days of discovery—underscores the value of automatic updates. Yet the gap between patch availability and user adoption remains a persistent weakness. Many home users disable updates out of annoyance, while enterprise environments struggle with change-control bottlenecks.
Looking ahead, Google will continue to backport this fix to older Chromium-based projects. If you use Chromium embedded in kiosk software, in-car systems, or thin clients, contact your vendor for a customized patch. The broader WebGPU ecosystem, still maturing, will face more scrutiny: expect further Dawn CVEs as security researchers and malicious actors alike probe the attack surface.
In the immediate term, verify that your Chrome installation is at 150.0.7871.47. Enable automatic updates if you’ve turned them off, and consider setting your browser to clear cache on exit as a defense-in-depth measure—it won’t stop exploitation, but it can complicate an attacker’s foothold. The next Chrome Stable update, likely to land in a week or two, will bundle additional security fixes; staying current is your simplest shield.