Google has released Chrome 150 with fixes for 27 security vulnerabilities, including two rated critical severity. Both critical flaws are use-after-free issues, located in Chrome’s Ozone and Views components, and were discovered internally by Google last month.
Vulnerability Breakdown
Use-after-free bugs dominate this release, accounting for 13 of the 27 patched issues. Of those, 10 are rated high severity, one is medium severity, and two are the critical flaws mentioned above. Additional vulnerability classes addressed in this update include:
- Uninitialized use
- Integer overflow
- Out-of-bounds read and write
- Insufficient validation of untrusted input
- Inappropriate implementation
- Insufficient data validation
- Insufficient policy enforcement
Google Finding Its Own Bugs
Only three of the 27 vulnerabilities were reported by external researchers, who collectively received $3,000 in bug bounty rewards. The remaining flaws were identified internally, continuing a trend that has persisted for more than two months. Google attributes this shift, at least in part, to AI-assisted vulnerability discovery. While the change has reduced payouts to external researchers, it has also dramatically increased the volume of security issues being resolved.
Since April, Google has shipped fixes for more than 1,400 Chrome vulnerabilities, with Chrome updates from June and July alone accounting for over 1,000 of those. Hundreds of the patched issues involve memory safety weaknesses, the category to which use-after-free bugs belong.
Affected Versions and Update Details
The updated Chrome versions are 150.0.7871.114 and 150.0.7871.115 for Windows and macOS, and 150.0.7871.114 for Linux. Users and administrators should prioritize updating given the presence of two critical-severity flaws in this release.
