Chrome 151’s latest stable-channel update delivers patches for 382 security vulnerabilities, including 15 critical bugs that can be weaponized for remote code execution and full browser compromise if left unpatched.
Google is rolling this update out for Windows, macOS, Linux, and Chrome for iOS, with security fixes spanning almost every core component of the browser stack.
According to Google’s release notes, Chrome 151 (with desktop build 150.0.7871.46) includes 382 distinct security fixes covered under the Chrome Vulnerability Rewards Program.
Bug details remain partially restricted until the majority of users receive the update, in line with Google’s standard coordinated disclosure process.
The patch set addresses vulnerabilities ranging from critical remote code-execution issues to low‑severity UI and policy-enforcement flaws affecting web, graphics, casting, networking, and iOS-specific components.
Many of these bugs were identified internally by Google using modern memory‑safety tooling such as AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, and fuzzing frameworks.
2026 Microsoft Vulnerabilities Report
Download Free Microsoft Vulnerabilities Report 2026
– A The latest Microsoft Vulnerabilities data, analyzed.
Download Now
Chrome Update Patches 382 Vulnerabilities
Google classifies 15 of the fixed vulnerabilities as critical, with most described as “use after free” issues in high‑risk components such as Extensions, GPU, WebUSB, Browser, Views, Bluetooth, Chromoting, and Ozone.
These memory‑corruption flaws can often be chained to achieve arbitrary code execution in the browser or underlying OS context when a user visits a maliciously crafted page or interacts with attacker‑controlled content.
The critical set also includes type confusion and insufficient validation of untrusted input in rendering and graphics subsystems such as Dawn, ANGLE, and Skia, as well as in iOSWeb’s input handling.
Exploiting these bugs could allow attackers to bypass sandbox boundaries, trigger heap corruption, or hijack control flow, greatly increasing the risk of drive‑by compromise scenarios.
Beyond the 15 critical issues, Google fixed a large number of high‑severity vulnerabilities across areas such as Chromecast, QUIC, Updater, SVG, Chrome for iOS, Safe Browsing, Accessibility, Canvas, File Input, and enterprise‑focused features.
Many of these are also use‑after‑free, heap buffer overflow, integer overflow, or insufficient policy enforcement issues that can facilitate information disclosure, privilege escalation, or sandbox escape in realistic attack chains.
The update further addresses hundreds of medium‑severity flaws touching Web Authentication, WebHID, WebXR, DevTools, Autofill, Passwords, PDF, Codecs, Fonts, and various UI components.
While individually less impactful, these bugs collectively expand Chrome’s attack surface and can be chained with other vulnerabilities to improve exploit reliability or bypass security prompts and indicators.
Google also ships dozens of low‑severity fixes focused on incorrect security UI, policy bypasses, and insufficient validation in components such as SplitView, WebXR, Network, WebNN, Chrome for iOS, TabStrip, Storage, GamepadAPI, History Embeddings, and newer AI- and credential‑related features.
These issues often contribute to user deception, inconsistent security states, or subtle sandbox and permission bypasses rather than direct code execution.
| CVE ID | Component | Root cause / bug class | Reported by | Report date |
|---|---|---|---|---|
| CVE-2026-13774 | Extensions | Use after free in Extensions | 2026-04-26 | |
| CVE-2026-13775 | GPU | Use after free in GPU | 2026-05-10 | |
| CVE-2026-13776 | Dawn | Type confusion in Dawn | 2026-05-14 | |
| CVE-2026-13777 | iOSWeb | Insufficient validation of untrusted input in iOSWeb | 2026-05-14 | |
| CVE-2026-13778 | WebUSB | Use after free in WebUSB | 2026-05-14 | |
| CVE-2026-13779 | Chromoting | Use after free in Chromoting | 2026-05-14 | |
| CVE-2026-13780 | ANGLE | Insufficient validation of untrusted input in ANGLE | 2026-05-19 | |
| CVE-2026-13781 | Skia | Insufficient validation of untrusted input in Skia | 2026-05-25 | |
| CVE-2026-13782 | Browser | Use after free in Browser | 2026-05-26 | |
| CVE-2026-13783 | Views | Use after free in Views | 2026-05-27 | |
| CVE-2026-13784 | Views | Use after free in Views | 2026-05-27 | |
| CVE-2026-13785 | Bluetooth | Use after free in Bluetooth | 2026-05-27 | |
| CVE-2026-13786 | Ozone | Use after free in Ozone | 2026-05-29 | |
| CVE-2026-13787 | Chromoting | Use after free in Chromoting | 2026-06-11 | |
| CVE-2026-13788 | Fullscreen | Use after free in Fullscreen | 2026-06-12 |
Although categorized as low severity, such weaknesses are important for overall browser hardening, especially when targeted by sophisticated threat actors who rely on multi‑bug exploitation chains and social engineering.
Google credits numerous external researchers and partners, alongside its internal teams, for reporting these issues during the Chrome 151 development cycle.
Recommended Actions
Google recommends that all users update to the latest Chrome 151 stable release as soon as possible to mitigate the risk of code execution attacks based on these vulnerabilities.
For enterprises, security teams should prioritize testing and rolling out Chrome 151 across managed fleets, paying particular attention to environments that rely heavily on extensions, remote desktop (Chromoting), WebUSB, WebXR, Chromecast, and Chrome for iOS.
Organizations should also review their browser security baselines, including extension governance, site isolation policies, Safe Browsing settings, and OS‑level exploit mitigations to ensure that they complement the protections introduced in this update.
Where possible, enabling automatic updates and monitoring Chrome’s security advisory channels can help reduce exposure windows to similar large‑scale vulnerability batches in future releases.

