Google released an emergency security update for Chrome on desktop Tuesday, patching a high-severity use-after-free vulnerability in the browser’s Oilpan garbage collector. The flaw, tracked as CVE-2026-13965, could allow remote attackers to execute arbitrary code on unpatched Windows and macOS machines.

The update, version 150.0.7871.47, began rolling out globally on June 30, 2026, for the stable channel. Google confirmed the patch in a terse advisory, crediting an anonymous external researcher for the report. Mac and Windows users are urged to update immediately; a Linux fix was not included in this release, though one typically follows shortly.

The Oilpan Engine Under the Microscope

Oilpan is the C++ garbage collector inside Chromium’s Blink rendering engine. It manages memory for DOM nodes and other web objects, automatically freeing resources that are no longer referenced. When a use-after-free bug creeps in, the collector marks memory as free while a pointer still references it. An attacker who reallocates that memory with controlled data can hijack program flow. In CVE-2026-13965, the dangling pointer resided in a core Oilpan routine, meaning a crafted webpage could trigger exploitation with nothing more than a visit.

Google categorises the fix as high severity. The company does not reveal technical details until a majority of users have updated—a protective measure against rapid exploit development. However, the limited scope of Tuesday’s release notes (“Use after free in Oilpan”) suggests the vulnerability is serious enough to warrant an out-of-cycle push. Chrome updates typically arrive every few weeks; this patch lands just days after the last scheduled release, signaling urgency.

Your Windows or Mac Machine Is the Target

For everyday Chrome users on Windows or macOS, the immediate risk is clear. Opening a malicious website or a compromised advertisement could silently execute code with the current user’s privileges. That might mean ransomware installation, credential theft, or lateral movement into corporate networks. Because the bug resides in the rendering engine, it is reachable from any tab—no plugins or special permissions required.

Power users who juggle multiple browsers are not immune. Many Electron-based apps (Slack, VS Code, Discord) embed Chromium and may share the flawed component. Developers who build on Electron should watch for a corresponding upstream Chromium security advisory and update their framework as soon as patches are backported.

IT administrators face a different challenge. In managed environments where automatic updates are delayed by group policy or patch testing cycles, the window of exposure stretches longer. CVE-2026-13965 is exactly the kind of vulnerability that attackers chain with browser-based exploits to breach enterprise networks. Pushing the update within 24 hours should be treated as a priority-one event.

A History of Chrome’s Garbage Collector Struggles

Use-after-free bugs plague all major browsers, but Chrome’s complex JavaScript engine and Blink renderer make it a frequent target. In 2025, Google patched over 20 use-after-free bugs across various Chromium components; several reached in-the-wild exploitation before fixes were deployed. Oilpan itself was designed to reduce manual memory management errors, yet its own logic can still be tricked. For instance, CVE-2022-1437 in an earlier Oilpan release enabled code execution via a similar dangling pointer.

What sets CVE-2026-13965 apart is the speed of the response. Typically, Google’s security team ships fixes on a bi-weekly cadence, bundling dozens of patches together. A targeted single-fix release implies either a proof-of-concept that significantly lowers the bar for exploitation, or active attacks already underway. Neither has been confirmed publicly, but the pattern mirrors previous zero-day responses.

What to Do Right Now on Windows and macOS

For Individual Users

  1. Open Chrome.
  2. Click the three-dot menu → Help → About Google Chrome.
  3. The browser will check for updates and install version 150.0.7871.47 automatically.
  4. Click Relaunch to finish. Your open tabs will be restored.

If the update is not yet visible, restart Chrome and try again. Google’s staged rollout can take a few hours to reach all devices, but you can force the check by navigating to chrome://settings/help.

For IT Administrators

  • Push the latest Chrome MSI or PKG via your patch management tool (SCCM, Intune, Jamf). The enterprise installers are available on the Chrome Enterprise download page.
  • Verify that all managed browsers report version 150.0.7871.47 or higher. Use chrome://version to confirm.
  • Block outdated versions from accessing sensitive internal applications until the update is applied. Network admission control policies can enforce a minimum browser version.
  • Monitor CISA’s Known Exploited Vulnerabilities catalog; if CVE-2026-13965 is added, federal agencies and their contractors must patch within a mandated timeframe.

Outlook: The Patch Cycle Tightens

Google is expected to publish further technical details on the Project Zero blog once a supermajority of users are protected. Security researchers will dissect the fix, and exploits will likely surface in the following weeks. This event underscores the relentless cat-and-mouse game in browser security: each new garbage collector optimization opens fresh attack surface. For users, the best defence remains the same—enable automatic updates and restart Chrome when prompted. For organisations, investing in zero-trust browsing solutions and reducing reliance on local browser profiles can blunt the impact of future renderer bugs.

As the Chromium project approaches version 160 later this year, expect more stringent compile-time checks and runtime assertions to be wired into Oilpan. Until those materialise, the fastest patch wins.