New Google Chrome replace fixes a number of use-after-free safety flaws.
© 2025 Bloomberg Finance LP
As Google confirms one more safety replace for the world’s hottest internet browser, with an estimated 3.8 billion customers throughout a number of platforms, one sort of flaw once more dominates the vulnerability listing. Of the 27 safety vulnerabilities listed within the official Chrome launch alert, 13 are of the use-after-free selection. Two of those are rated essential, whereas 10 have been given high-severity standing. OK, in order that pales into insignificance in comparison with the 110 such points that appeared within the June 2 replace, however what’s a use-after-free flaw and why are these vulnerabilities so commonplace and harmful?
Google Chrome 150.0.7871.114/.115 Safety Patch
The explanation for the July 8 Chrome replace has now been confirmed by Google technical program supervisor Daniel Yip. Effectively, 27 causes, to be exact, all of them safety vulnerabilities affecting internet browser customers throughout each platform besides iOS. 24 of those safety flaws have been uncovered by Google itself, utilizing quite a lot of inner discovery instruments together with AI ones, and 13 of the full have been of the use-after-free selection.
An important of those, in my by no means humble opinion, is the essential severity-rated CVE-2026-15129. Whereas Google has but to launch any technical particulars relating to this use-after-free vulnerability past it impacting the Chrome Views part, an evaluation from the safety specialists at VulDB has revealed that “the flaw happens throughout the browser’s person interface part system the place reminiscence administration fails to correctly observe object lifecycles, creating alternatives for distant code execution via malicious internet content material.”
The essential score is properly deserved, because the vulnerability, if exploited, would offer attackers with “a essential assault floor throughout the browser’s rendering engine,” VulnDB warned, with out requiring any person interplay past visiting a malicious web site. Fortunately, not one of the vulnerabilities patched within the newest replace are of the Chrome zero-day selection, and as such there have been no identified exploits on the time of writing.
The total listing of safety vulnerabilities patched by the newest Chrome replace will be discovered here, however within the meantime let’s take a more in-depth take a look at use-after-free flaws and why they’re directly so commonplace and doubtlessly so harmful.
Use-After-Free Chrome Vulnerabilities Defined
The Open Worldwide Software Safety Challenge defines a use-after-free situation as one thing that occurs when a program references heap-allocated reminiscence after it has already been freed or deleted. The usage of such reminiscence pointers in code can, unsurprisingly, result in “undefined system habits and, in lots of circumstances, to a write-what-where situation,” OWASP explains. This gained’t at all times be the case, after all, and there can be events the place a use-after-free error has no discernible impression. Nonetheless, issues begin to get problematical when one causes this system to crash, and positively harmful when it allows the exploitation of “one other memory-based vector to compromise the system.” This may result in knowledge corruption and even arbitrary code execution.
The official MITRE Frequent Weak spot Enumeration entry for use-after-free vulnerabilities describes how malicious knowledge “entered earlier than chunk consolidation can happen” can make the most of a write-what-where primitive to execute arbitrary code. “If the newly allotted knowledge occurs to carry a category,’ in C++ for instance, “numerous perform pointers could also be scattered throughout the heap knowledge,” the MITRE CWE continues, including that “if considered one of these perform pointers is overwritten with an deal with to legitimate shellcode, execution of arbitrary code will be achieved.”
And there lies the rub: Chrome is primarily an enormous C++ codebase. The invention of dangling reminiscence pointers in C++ code is hardly uncommon, particularly when the code is extraordinarily advanced and dynamic. A codebase the scale of Chrome simply ups the stakes significantly, spanning a number of processes and accounting for advanced internet requirements that demand dynamic reminiscence sharing, which means there are extra to be discovered. That’s clarification quantity considered one of why Chrome use-after-free flaws are commonplace; clarification quantity two should even be taken under consideration: Google is nice at discovering them. This can be a good factor, despite the fact that a myriad of vulnerabilities at all times seem like a nasty factor to finish customers. The reality is, I’m a lot happier that Google researchers are uncovering these items utilizing their automated fuzzing methods, assisted by AI, quite than risk actors utilizing them in opposition to me. You need to be as properly. The takeaway is that Google has you lined, and, as with all Chrome safety updates, the rollout and patching are computerized.










