Google Rolls Out Emergency Repair for 27 “Crucial” Chrome Vulnerabilities, Half Stem from Use-After-Free Bugs — BigGo Finance


Google launched an emergency replace on July 8 for its flagship internet browser, Google Chrome, on desktop and Android, patching a complete of 27 safety vulnerabilities, together with two rated “Crucial.” Of the issues addressed on this replace, 13 are categorised as “use-after-free” reminiscence administration defects, which if exploited might enable an attacker to remotely execute arbitrary code just by having a person open a malicious web site.

Based on Technical Program Supervisor Daniel Yip, Chrome customers on all platforms besides iOS are affected. Google found 24 of the issues internally utilizing a number of detection instruments, together with AI. Whereas no zero-day vulnerabilities or energetic exploitation has been confirmed right now, customers are strongly urged to use the replace instantly.

Overview of Patched Vulnerabilities

The breakdown of vulnerabilities patched on this replace is as follows:

Severity Rely
Crucial 2
Excessive 23
Medium 2

Key vulnerabilities patched embrace a use-after-free in Ozone (CVE-2026-15112), a use-after-free in Views (CVE-2026-15129), an uninitialized use in V8 (CVE-2026-15132), a use-after-free in InterestGroups (CVE-2026-15133), an integer overflow within the Extensions API (CVE-2026-15108), a use-after-free in IndexedDB (CVE-2026-15107), and inadequate knowledge validation in Navigation (CVE-2026-15131).

The affected working methods and their patched variations are as follows:

OS Patched Model
Home windows 150.0.7871.114/.115
macOS 150.0.7871.114/.115
Linux 150.0.7871.114
Android 150.0.7871.114

The desktop replace will roll out regularly over the approaching days to weeks, although customers can even manually replace by Chrome’s settings menu. The Android model is anticipated to be obtainable on Google Play inside days.

The Most Harmful Flaw: CVE-2026-15129

Safety specialists are paying specific consideration to CVE-2026-15129, which has been rated “Crucial.” This use-after-free vulnerability impacts the “Views” element that constitutes Chrome’s person interface. Based on evaluation by VulDB, a safety intelligence platform, the flaw happens when the reminiscence administration operate inside the browser’s UI framework fails to appropriately observe the lifecycle of objects.

In consequence, an attacker might probably execute code remotely utilizing malicious internet content material. VulDB warns that this vulnerability creates a particularly critical assault vector inside the rendering engine answerable for the browser’s show processing. Customers may very well be attacked just by opening a malicious web site, with no additional interplay required. This justifies the “Crucial” severity ranking.

Structural Elements Behind Frequent Use-After-Free Bugs

Use-after-free, which accounts for 13 of the 27 flaws patched this time, is an issue that happens when a program continues to reference reminiscence after it has been freed or deleted from the heap. OWASP (Open Worldwide Software Safety Venture), a non-profit internet safety group, defines it as “undefined habits” that happens when program code makes use of a pointer pointing to reminiscence that has already been freed, making system habits unpredictable.

Based on the Widespread Weak spot Enumeration (CWE) printed by MITRE, if malicious knowledge is enter earlier than the freed reminiscence area is reorganized, an attacker can exploit a “write-what-where” situation to put in writing arbitrary values to arbitrary places, probably enabling arbitrary code execution. In C++, for instance, when newly allotted reminiscence comprises class knowledge, operate pointers are positioned all through the heap. If a kind of pointers is overwritten with a legitimate handle of shellcode—assault code—the attacker can execute arbitrary code.

There are two the reason why use-after-free bugs are incessantly present in Chrome. First, Chrome is a particularly giant piece of software program written primarily in C++. In C++ code, “dangling pointers” that proceed to level to already-invalidated reminiscence areas are liable to happen. As a result of Chrome operates utilizing a number of processes and should dynamically allocate reminiscence and share it throughout a number of operations at runtime to assist complicated internet requirements, there are extra alternatives for bugs resulting in use-after-free to creep in.

Second, Google excels at discovering these vulnerabilities. From a person’s perspective, the regular stream of publicly disclosed vulnerabilities could look like dangerous information. Nonetheless, it’s far preferable for Google’s researchers to find and patch these flaws first utilizing AI-assisted automated fuzzing methods than for attackers to search out and exploit them first.

Notably, the June 2 replace patched 110 use-after-free problems with the identical sort, making this spherical’s rely comparatively smaller. As with different Chrome safety updates, Google’s coverage is to regularly auto-deploy the brand new model and apply the fixes routinely. Customers can both manually examine for updates or await the automated replace to be utilized.