Google has shipped Chrome 150.0.7871.128/.129 for Windows and Mac with a fix for CVE-2026-15900, a critical use-after-free vulnerability in Chromium’s GPU component. The update is rolling out now, and Windows users and administrators should treat it as an immediate browser-patching priority rather than wait for the National Vulnerability Database to finish its record.
Google’s July 16 Chrome Stable release lists CVE-2026-15900 as “Use after free in GPU,” reported internally by Google on June 14. The same release contains seven security fixes, including three critical use-after-free flaws affecting CameraCapture, GPU, and Network. CERT-FR subsequently confirmed that Chrome versions earlier than 150.0.7871.128 on Windows and Linux, and earlier than 150.0.7871.129 on macOS, are affected.
The NVD page currently returns “CVE ID Not Found.” That is not a signal that the report is invalid or that systems are safe. NVD itself explains that assigned CVEs can be unavailable while their records remain reserved or have not yet been ingested and analyzed. In this case, the Chrome release bulletin and the CVE record referenced by CERT-FR establish that the identifier exists; the lag is in NVD publication and enrichment.

Enterprise security dashboard shows a browser patching a critical GPU vulnerability with 78% progress.The GPU Process Is a Valuable Boundary to Defend​

A use-after-free occurs when software continues to access memory after it has been released. Depending on how the stale memory is reused, the bug can cause a crash, corrupt program state, disclose data, or enable code execution. In a browser, severity depends heavily on the component involved, the attacker’s ability to reach the vulnerable code through web content, and whether other safeguards such as sandboxing prevent the flaw from becoming a full system compromise.
Google has rated CVE-2026-15900 critical, but has not publicly disclosed its technical root cause, attack requirements, exploitability details, or a proof of exploitation in the wild. That restraint is normal for Chrome security fixes: Google frequently keeps issue-tracker entries restricted while an update propagates, reducing the opportunity for attackers to reverse-engineer a patch faster than users can install it.
The GPU label should not be confused with a faulty Nvidia, AMD, or Intel display driver. Chromium uses a dedicated GPU process and graphics stack for hardware-accelerated compositing, video decode, Canvas rendering, WebGL, and related tasks. A vulnerability there concerns browser code that orchestrates those workloads, even though browser behavior can interact with Windows graphics APIs and installed drivers.
For Windows users, that distinction matters. Updating the GPU driver remains sensible operational hygiene, especially when addressing stability problems, but it is not a substitute for the Chrome update that contains the application-level security fix.

Chrome 150.0.7871.128/.129 Is the Immediate Fix​

Google’s Stable channel update identifies 150.0.7871.128/.129 as the patched Windows build. Chrome’s two-number notation reflects separate Windows and macOS build packaging; organizations should use their software inventory and endpoint-management tools to confirm that installed Chrome instances meet or exceed the patched release.
The release is not narrowly about CVE-2026-15900. Administrators that postpone it leave systems exposed to a cluster of memory-safety and validation issues fixed in the same package:
  • CVE-2026-15899 is a critical use-after-free issue in CameraCapture.
  • CVE-2026-15900 is the critical GPU use-after-free issue.
  • CVE-2026-15901 is a critical use-after-free issue in Network.
  • CVE-2026-15902, CVE-2026-15904, and CVE-2026-15905 are high-severity use-after-free flaws in Cast, Ozone, and Aura, respectively.
  • CVE-2026-15903 is a high-severity out-of-bounds read and write issue in V8, Chromium’s JavaScript and WebAssembly engine.
That combination makes this a straightforward deploy-now release. Even if a local risk review concludes that GPU acceleration is restricted in a given virtual desktop image or kiosk deployment, the same Chrome package closes defects elsewhere in the browser.
For individual users, Chrome normally downloads updates in the background, but the new build is not fully active until the browser is restarted. Opening Chrome’s About page forces an update check on managed and unmanaged installations alike, though enterprise policy can defer installation or restart behavior.
For IT teams, the practical response is to approve the current Chrome Stable package in the existing patch workflow, target devices that have missed prior browser updates, and require a restart within the organization’s normal change window. Browser-version compliance should be validated after deployment rather than inferred from an installer’s successful execution; persistent Chrome processes can continue to run an earlier vulnerable binary until restart.

NVD’s Absence Creates an Inventory Problem, Not a Patch Exception​

The current NVD result is likely to frustrate vulnerability-management teams that build dashboards, tickets, and remediation rules from NVD feeds. A missing NVD entry can prevent automatic enrichment with CPE mappings, severity vectors, affected-version ranges, and scanner signatures. It should not become a reason to suppress the finding.
CERT-FR’s July 17 advisory identifies the affected Chrome version threshold and points to Google’s July 16 bulletin. Neowin’s reporting on the release independently lists CVE-2026-15900 among the three critical issues corrected in Chrome 150.0.7871.128/.129. Those vendor and national-CSIRT signals provide enough information to open and track remediation work while the NVD catches up.
The responsible approach is to record the vendor’s fixed build, the date of the Chrome security release, and the limited public description: a critical use-after-free in GPU. Avoid assigning an invented CVSS score, asserting a sandbox escape, or labeling the issue a zero-day. Google has not made those claims in the publicly available release material.
This is also a reminder that NVD is an analysis and aggregation source, not the authoritative release gate for every browser fix. Chrome’s release bulletin is the operational source for the availability of the patch; the CVE program’s record establishes the identifier; NVD enrichment is useful when it arrives but does not change the action required today.

Do Not Assume Every Chromium Browser Is Already Covered​

Chrome and Chromium are related, but a Chrome fix does not automatically mean a same-day update for Microsoft Edge, Brave, Opera, Vivaldi, Electron applications, or other downstream products. Each vendor must incorporate the relevant Chromium changes, produce a release, and distribute it through its own update channel.
Windows administrators should therefore separate two questions that are often collapsed into one: whether Chrome is updated to 150.0.7871.128/.129, and whether any other Chromium-based browser or embedded runtime in the environment has shipped an equivalent fix. The Chrome bulletin confirms the first. It does not establish patched versions for Microsoft Edge or other vendors.
That is particularly important in managed environments where Edge is the standard browser but Chrome is allowed for selected workflows, development, testing, or legacy web applications. A Chrome-focused alert should trigger an inventory review of all installed browsers, not an unsupported conclusion that an Edge installation has either been remediated or exposed.
Disabling hardware acceleration may reduce exposure to some graphics paths in specific circumstances, but it is not an assured mitigation for this CVE, can damage video and rendering performance, and does nothing for the other six flaws addressed in the same update. The durable control is the vendor’s patched browser build.
CVE-2026-15900’s NVD page may be blank on July 17, 2026, but the remediation path is not: get Windows Chrome installations to 150.0.7871.128 or later, restart them, and track downstream Chromium products independently until their vendors publish corresponding security updates.

References​

  1. Primary source: NVD / Chromium
    Published: 2026-07-17T17:42:38-07:00
  2. Security advisory: MSRC
    Published: 2026-07-17T17:42:38-07:00
    Original feed URL