Google Patches Three Critical Use-After-Free Flaws in Chrome

Google Issues Second Critical Chrome Update in 48 Hours

CRITICAL
July 18, 2026
3m read
Patch ManagementVulnerability

Related Entities

Organizations

Products & Tech

Google Chrome

CVE Identifiers

CVE-2026-15899
CRITICAL
CVE-2026-15900
CRITICAL
CVE-2026-15901
CRITICAL

Full Report

Executive Summary

Google has released a second emergency security update for its Chrome browser in a 48-hour period, patching three additional critical-severity vulnerabilities. This rapid succession of patches underscores the aggressive pace at which browser vulnerabilities are being discovered and fixed. The latest update addresses three distinct use-after-free flaws that could allow an attacker to execute arbitrary code on a victim's system by convincing them to visit a malicious website. All users are urged to update their browsers immediately.

Vulnerabilities Addressed

The update released on July 16, 2026, follows another major update from July 14 and specifically addresses three critical use-after-free (UAF) vulnerabilities. A UAF flaw occurs when a program tries to use a pointer to a memory location that has already been deallocated, which can be exploited to corrupt data or hijack program execution.

The patched vulnerabilities are:

  • CVE-2026-15899: A critical use-after-free vulnerability in the CameraCapture component.
  • CVE-2026-15900: A critical use-after-free vulnerability in the GPU process.
  • CVE-2026-15901: A critical use-after-free vulnerability in the Network component.

Notably, all three of these critical flaws were discovered by Google's internal security teams, suggesting that the company's own fuzzing and code analysis tools are becoming increasingly effective at finding serious bugs before they are reported by external researchers.

Affected Products

  • Google Chrome for Windows, Mac, and Linux, for versions prior to the latest release (check chrome://settings/help for the current version).

Impact Assessment

Exploitation of these use-after-free vulnerabilities could allow an attacker to escape the browser's sandbox and execute arbitrary code on the host operating system. This would grant the attacker the same level of permission as the logged-in user. Such an attack would typically be initiated by tricking a user into navigating to a specially crafted malicious webpage. A successful exploit could lead to the installation of malware, theft of sensitive data, or complete system takeover.

Patch Details

The security fixes are being rolled out to users via Chrome's automatic update mechanism. The updates will be applied the next time the user restarts their browser. Google has not released detailed technical information or proof-of-concept code for these vulnerabilities to prevent their immediate exploitation.

Deployment Priority

Critical. Due to the severity of the vulnerabilities, all organizations and individual users should ensure the update is applied as soon as possible. The risk is high for all users who browse the web, as a single visit to a compromised or malicious site could lead to compromise.

Installation Instructions

  1. Open Google Chrome.
  2. Click the three-dot menu in the top-right corner.
  3. Go to Help > About Google Chrome.
  4. Chrome will automatically check for and download the latest update.
  5. After the update is downloaded, click the Relaunch button to apply the patch.

Cyber Observables — Hunting Hints

Detecting exploitation of browser vulnerabilities on the endpoint before a patch is applied is very difficult. The primary defense is rapid patching. Post-patch, no hunting is typically required unless there is suspicion of prior compromise.

Timeline of Events

1
July 14, 2026
Google releases the first of two significant Chrome security updates.
2
July 16, 2026
Google releases the second emergency Chrome update, patching three critical UAF flaws.
3
July 18, 2026
This article was published

MITRE ATT&CK Mitigations

The only effective mitigation is to ensure Google Chrome is updated to the latest version, which contains patches for these vulnerabilities.

Using web filtering solutions to block access to known malicious or untrusted websites can reduce the risk of users being exposed to exploit kits.

Timeline of Events

1
July 14, 2026

Google releases the first of two significant Chrome security updates.

2
July 16, 2026

Google releases the second emergency Chrome update, patching three critical UAF flaws.

Sources & References

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Editorial Standards & Analyst Review

CyberNetSec.io uses automation to assist source monitoring, deduplication, observable extraction, and structured intelligence generation. Published analysis follows human-defined editorial standards and adds defensive context including MITRE ATT&CK, D3FEND, STIX, and Sigma where applicable. Read our editorial policy.

Tags

google chromevulnerabilitypatchuse-after-freecvebrowser security

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.