“`html
The recent stable-channel update for Chrome 151 provides remedies for 382 security flaws, which includes 15 critical vulnerabilities that can be exploited for remote code execution and complete browser takeover if not addressed.
Google is deploying this update across Windows, macOS, Linux, and Chrome for iOS, with security enhancements affecting nearly every fundamental element of the browser framework.
Per Google’s release documentation, Chrome 151 (with desktop build 150.0.7871.46) contains 382 individual security resolutions included under the Chrome Vulnerability Rewards Program.
Details regarding the bugs are partially kept confidential until most users obtain the update, following Google’s standard coordinated disclosure protocol.
The set of patches tackles vulnerabilities ranging from significant remote code-execution problems to minor UI and policy enforcement issues impacting web, graphics, casting, networking, and iOS-specific modules.
Numerous bugs were discovered internally by Google utilizing advanced memory-safety tools like AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, and fuzzing frameworks.
Chrome Update Addresses 382 Vulnerabilities
Google categorizes 15 of the resolved vulnerabilities as critical, with most identified as “use after free” issues found in high-risk areas such as Extensions, GPU, WebUSB, Browser, Views, Bluetooth, Chromoting, and Ozone.
These memory-corruption vulnerabilities can frequently be chained to accomplish arbitrary code execution within the browser or the underlying OS context when a user visits a maliciously constructed page or engages with content controlled by an attacker.
The critical set additionally encompasses type confusion and inadequate validation of untrusted input in rendering and graphics subsystems like Dawn, ANGLE, and Skia, along with iOSWeb’s input management.
Exploiting these flaws could enable attackers to evade sandbox limitations, instigate heap corruption, or commandeer control flow, significantly increasing the risk of drive-by compromise situations.
Apart from the 15 critical vulnerabilities, Google rectified numerous high-severity vulnerabilities across areas such as Chromecast, QUIC, Updater, SVG, Chrome for iOS, Safe Browsing, Accessibility, Canvas, File Input, and enterprise-specific features.
Many of these are also use-after-free, heap buffer overflow, integer overflow, or inadequate policy enforcement concerns that can lead to information disclosure, privilege escalation, or sandbox escape in realistic attack sequences.
The update further resolves hundreds of medium-severity vulnerabilities affecting Web Authentication, WebHID, WebXR, DevTools, Autofill, Passwords, PDF, Codecs, Fonts, and a variety of UI components.
While each is less impactful on its own, collectively these issues broaden Chrome’s attack surface and can be interconnected with other vulnerabilities to enhance exploit reliability or circumvent security prompts and indicators.
Google also releases many low-severity fixes aimed at incorrect security UI, policy bypasses, and inadequate validation in components such as SplitView, WebXR, Network, WebNN, Chrome for iOS, TabStrip, Storage, GamepadAPI, History Embeddings, and emerging AI- and credential-related features.
These issues frequently contribute to user misdirection, inconsistent security states, or subtle sandbox and permission bypasses rather than direct code execution.
| CVE ID | Component | Root cause / bug class | Reported by | Report date |
|---|---|---|---|---|
| CVE-2026-13774 | Extensions | Use after free in Extensions | 2026-04-26 | |
| CVE-2026-13775 | GPU | Use after free in GPU | 2026-05-10 | |
| CVE-2026-13776 | Dawn | Type confusion in Dawn | 2026-05-14 | |
| CVE-2026-13777 | iOSWeb | Inadequate validation of untrusted input in iOSWeb | 2026-05-14 | |
| CVE-2026-13778 | WebUSB | Use after free in WebUSB | 2026-05-14 | |
| CVE-2026-13779 | Chromoting | Use after free in Chromoting | 2026-05-14 | |
| CVE-2026-13780 | ANGLE | Inadequate validation of untrusted input in ANGLE | 2026-05-19 | |
| CVE-2026-13781 | Skia | Inadequate validation of untrusted input in Skia | 2026-05-25 | |
| CVE-2026-13782 | Browser | Use after free in Browser | 2026-05-26 | |
| CVE-2026-13783 | Perspectives | Use after free in Perspectives | 2026-05-27 | |
| CVE-2026-13784 | Perspectives | Use after free in Perspectives | 2026-05-27 | |
| CVE-2026-13785 | Bluetooth | Use after free in Bluetooth | 2026-05-27 | |
| CVE-2026-13786 | Ozone | Use after free in Ozone | 2026-05-29 | |
| CVE-2026-13787 | Chromoting | Use after free in Chromoting | 2026-06-11 | |
| CVE-2026-13788 | Fullscreen | Use after free in Fullscreen | 2026-06-12 |
Though classified as low severity, such vulnerabilities are critical for enhancing browser security, particularly when attacked by advanced threat actors who exploit chains of multiple bugs and utilize social manipulation.
Google acknowledges various external researchers and collaborators, in addition to its internal personnel, for identifying these concerns during the Chrome 151 development phase.
Countermeasures
Google urges all users to upgrade to the most recent stable release of Chrome 151 promptly to lessen the risk of code execution threats stemming from these vulnerabilities.
For businesses, security teams should focus on testing and deploying Chrome 151 throughout managed environments, especially in scenarios heavily reliant on extensions, remote desktop (Chromoting), WebUSB, WebXR, Chromecast, and Chrome for iOS.
Organizations should also examine their browser security standards, including extension management, site isolation protocols, Safe Browsing configurations, and OS-level exploit defenses to ensure that they reinforce the protections provided in this update.
Whenever feasible, activating automatic updates and keeping an eye on Chrome’s security advisory platforms can assist in minimizing exposure durations to similar sizable vulnerability clusters in forthcoming releases.
“`