Google has shipped an urgent patch for a high-severity security flaw in Chrome that could allow attackers to remotely execute code on a Windows PC simply by convincing a user to visit a malicious website. The fix arrived in Chrome 150.0.7871.46, and every Chrome installation below that version is considered vulnerable.
The vulnerability, tracked as CVE-2026-14426, resides in V8 — Chrome’s JavaScript engine — and is classified as a use-after-free bug. If exploited, it could let an attacker run arbitrary code on the target system with the same privileges as the Chrome user. In practice, that might mean installing malware, stealing data, or hijacking the computer for other illicit purposes. Security researchers reported the flaw to Google, but the company has not disclosed whether attacks are already underway in the wild.
What’s Inside the Patch
The update to 150.0.7871.46 contains a single security fix for the V8 use-after-free vulnerability. No other fixes or features are included in this release, making it a focused security-only update. Google typically restricts access to technical details until the majority of users have applied the patch, a prudent measure to slow exploit development while the update rolls out.
If you rely on Chrome for daily browsing — whether on Windows 10, Windows 11, or any other supported desktop platform — you are at risk until you install this version. The severity is high enough that even cautious users who avoid shady sites are not entirely safe. Malicious ads, compromised legitimate sites, or a cleverly crafted email link could all serve as an attack vector.
Who’s at Risk, and Why It Matters
Every Windows user running a Chrome version below 150.0.7871.46 is affected. This includes the stable channel release. If you aren’t sure what version you’re on, open Chrome, click the three-dot menu, go to Help > About Google Chrome, and the current version will be displayed.
A use-after-free vulnerability is a class of memory corruption bug. When Chrome’s V8 engine processes JavaScript, it juggles objects in memory. If an object is freed but a reference remains, an attacker can manipulate that reference to point to memory they control — eventually hijacking the program’s execution flow. For end users, the bottom line is simple: a single visit to a booby-trapped web page could hand control of your PC to a remote attacker.
This is hardly the first V8 vulnerability to plague Chrome. The engine’s complexity and performance demands make such bugs a recurring headache. Earlier this year alone, Chrome has patched multiple use-after-free flaws, some of which were actively exploited. The rapid pace of discovery underscores why prompt updates are non-negotiable.
How to Update Chrome Now
Chrome normally updates itself in the background, but the process isn’t always instantaneous. Because this is a security fix, you should manually trigger the update instead of waiting. Here’s how:
- Open Chrome.
- Click the three-dot menu (⋮) in the upper-right corner.
- Select Help > About Google Chrome.
- Chrome will check for updates and download the latest version automatically.
- Once the download completes, click Relaunch to apply the update.
After relaunching, return to the About page and verify that the version number is 150.0.7871.46 or higher. If you see an older version, repeat the steps or download the latest installer from google.com/chrome.
For IT administrators managing fleets of Windows machines, the update can be deployed using the standard Chrome administrative templates. Force-install the latest version via Group Policy or your endpoint management tool, and consider configuring an automatic update policy that minimizes the delay between a Chrome release and its installation. Google also offers the Chrome Cleanup Tool and the Software Removal Tool, but those are not substitutes for this patch.
The Broader Chromium Family
Chrome isn’t the only browser that depends on the V8 engine. Microsoft Edge, Brave, Opera, Vivaldi, and many others are built on Chromium, and they all inherit V8’s vulnerabilities. Microsoft is usually quick to absorb Chromium patches into Edge, but the timing can vary. If you use any Chromium-based browser, check its version against the latest release and update promptly. Brave and Opera have also released statements encouraging users to ensure they’re on the most recent version.
Firefox and Safari, which use different JavaScript engines, are not affected by this particular V8 flaw. But for the vast majority of Windows users who stick with Chrome or Edge, this is a critical moment to click “Relaunch.”
What the Future Holds
Google’s security team will eventually publish detailed technical analysis of CVE-2026-14426, which may reveal just how close the industry came to a widespread exploit. For now, the company’s swift turnaround — from report to patch — significantly shrinks the window of opportunity for attackers.
Still, over a billion Chrome users worldwide mean that millions of installations will remain unpatched for days or weeks. Cybercriminals know this and often reverse-engineer patches to develop exploits. The best defense is to update immediately, enable auto-updates, and never ignore that “Relaunch” button.
Keeping your browser up-to-date is the single most effective action you can take to protect yourself online. This patch is a timely reminder of why.