Chrome 151 Security Update Patches 382 Vulnerabilities, Including 15 Critical Memory-Corruption Flaws (CVE-2026-13774 to CVE-2026-13788) — Threadlinqs Intelligence
Threat ID: TL-2026-1026 · Severity: CRITICAL · Status: ACTIVE · Category: VULNERABILITY
Google's Chrome 151 stable release (desktop build 150.0.7871.46/47, July 1, 2026, for Windows, macOS, Linux and iOS) fixes 382 security defects, including 15 Critical-severity memory-corruption bugs
On July 1, 2026, Google promoted Chrome 151 (Windows/Mac/Linux desktop build 150.0.7871.46, and a closely-tracked 150.0.7871.47 fix build referenced in at least one Chromium issue) and the corresponding Chrome for iOS build to the stable channel, resolving 382 total security issues reported through Chrome's Vulnerability Rewards Program (VRP) and internal fuzzing/sanitizer runs (AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer). Fifteen of the fixes carry Chromium's Critical severity rating, the highest category reserved for bugs that could let a remote attacker escape the renderer sandbox or execute arbitrary code with minimal user interaction.
The Critical set is dominated by use-after-free (CWE-416) defects: CVE-2026-13774 in the Extensions subsystem (reported 2026-04-26) allows an attacker who convinces a victim to install a malicious/crafted Chrome extension to execute arbitrary code by triggering a dangling-pointer access after an extension-related object is freed but still referenced by a callback or message handler. CVE-2026-13775 (GPU process, reported 2026-05-10), CVE-2026-13778 (WebUSB, 2026-05-14), CVE-2026-13779 and CVE-2026-13787 (Chromoting, remote-desktop component, 2026-05-14 and 2026-06-11), CVE-2026-13782 (Browser process core, 2026-05-26), CVE-2026-13783/CVE-2026-13784 (Views UI toolkit, 2026-05-27), CVE-2026-13785 (Bluetooth stack, 2026-05-27), CVE-2026-13786 (Ozone platform abstraction layer, 2026-05-29), and CVE-2026-13788 (Fullscreen API, 2026-06-12) all follow the same pattern: an object (buffer, handler, device session, or UI widget) is freed while a reference to it survives in another code path, and a subsequent access re-enters freed heap memory that an attacker can groom and reclaim with attacker-controlled data, corrupting adjacent heap structures or hijacking a vtable/function pointer to redirect control flow.
The remaining Criticals are type-confusion and validation bugs: CVE-2026-13776 (Dawn, Chrome's cross-platform WebGPU implementation, 2026-05-14) is a type-confusion flaw where a WebGPU object is treated as an incompatible type, allowing memory corruption when GPU commands are dispatched against a mis-typed resource. CVE-2026-13777 (iOSWeb, 2026-05-14) and CVE-2026-13780 (ANGLE, Chrome's GL/Vulkan translation layer, 2026-05-19) and CVE-2026-13781 (Skia, the 2D graphics rendering library, 2026-05-25) are each insufficient-validation flaws where attacker-supplied dimensions, buffer sizes, or resource handles are not fully bounds-checked before use, leading to out-of-bounds memory access during rendering or graphics-command processing.
All 15 issues share a common exploitation narrative that Chromium engineers flagged: a crafted, attacker-controlled web page (or, for Extensions/Chromoting/Bluetooth/WebUSB, a crafted extension package, remote-desktop session, or paired hardware device) triggers the memory-safety violation inside a renderer, GPU, or utility process. Because Chrome's multi-process sandbox isolates the renderer from the browser process and the OS, a UAF or type-confusion bug alone typically yields renderer-level code execution; combined with a privilege-escalation or sandbox-escape primitive (several of these bugs, e.g. in Views/Browser-process code, execute outside the renderer sandbox boundary), an attacker chain could achieve full browser compromise and code execution with the logged-in user's OS privileges, consistent with classic Chrome drive-by-compromise campaigns.
As of this analysis, none of the 15 CVEs (CVE-2026-13774 through CVE-2026-13788) appear in the CISA Known Exploited Vulnerabilities (KEV) catalog, and no public proof-of-concept exploit code has been located. Google's standard coordinated-disclosure policy keeps full bug-tracker details (Chromium issue tracker entries, e.g. issues.chromium.org/issues/506558270 for CVE-2026-13774) access-restricted until a majority of the Chrome user base has received the update, which is standard practice and does
Weaknesses (CWE)
CWE-416, CWE-843, CWE-20, CWE-787
Target sectors: all-sectors, government administration, finance, health, technology, education, retail, critical-infrastructure
Target regions: Global
Detections & IOCs
This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 17 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.
VULNERABILITY, CRITICAL, threat intelligence, cybersecurity, CVE-2026-13774, CVE-2026-13775, CVE-2026-13776, CVE-2026-13777, CVE-2026-13778, CVE-2026-13779, CVE-2026-13780, CVE-2026-13781, CVE-2026-13782, CVE-2026-13783, T1189, T1190, T1203, T1204, T1176, T1068, T1211, T1140, T1518, T1185