Executive Summary
Google patched CVE-2026-15773 on July 14, 2026 — a critical use-after-free vulnerability in Chrome's Core component affecting Windows systems. With a CVSS 3.1 score of 9.6 (Critical), this flaw allows a remote unauthenticated attacker to potentially escape the Chrome sandbox by luring a victim to a crafted HTML page.
The vulnerability was one of 15 security fixes bundled in Chrome stable release 150.0.7871.124/125, which also addressed two other critical Use-After-Free issues (CVE-2026-15764 and CVE-2026-15765 in the Ozone component). No in-the-wild exploitation has been confirmed at the time of disclosure.
All Chrome users on Windows should update immediately.
Vulnerability Details
Root Cause
CVE-2026-15773 is a Use-After-Free (CWE-416) memory corruption bug in Chrome's Core component, Windows-specific. Use-after-free flaws occur when a program continues to use a pointer after the memory it references has been freed:
- A Core object is allocated during page rendering
- The object is freed under a specific sequence of operations
- The freed memory region is subsequently referenced
- An attacker-controlled value occupies the freed memory slot
- The attacker achieves controlled code execution within the renderer
Because this vulnerability crosses the sandbox boundary, successful exploitation could grant an attacker the ability to execute code outside the renderer's sandboxed process — equivalent to a full sandbox escape on Windows.
CVSS Vector
| Metric | Value |
|---|---|
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | Required (visit crafted page) |
| Scope | Changed |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
| CVSS 3.1 Score | 9.6 Critical |
The Changed scope is what drives the severity to 9.6 — the exploit escapes the sandboxed renderer process and can affect resources outside it.
Affected Versions
| Platform | Vulnerable Versions | Fixed Version |
|---|---|---|
| Windows | Chrome < 150.0.7871.125 | 150.0.7871.124/.125 |
| macOS | Chrome < 150.0.7871.124 | 150.0.7871.124 |
| Linux | Chrome < 150.0.7871.124 | 150.0.7871.124 |
Note: The Windows-specific sandbox escape (CVSS 9.6) applies only to Windows builds. The vulnerability may exist cross-platform but the sandbox escape primitive is Windows-specific per the advisory.
Chromium-based browsers (Microsoft Edge, Brave, Opera, Vivaldi) share Chrome's rendering engine and may be affected. Monitor their respective security advisories for patches.
Threat Context
CVE-2026-15773 was discovered and responsibly disclosed by xinchaotian of Microsoft on June 25, 2026 — roughly 19 days before Google's patch. This is part of Chrome's broader July 2026 security update which bundled:
- 2 Critical Use-After-Free issues (including this CVE)
- 12 High severity issues
- 1 Medium issue
No active exploitation has been confirmed by Google, CISA, or third-party threat intelligence sources as of July 15, 2026. The Chromium bug tracker entry remains restricted (non-public), which is standard practice while the patch propagates.
Immediate Remediation
Update Chrome (Priority Action)
- Open Chrome and navigate to
chrome://settings/help - Chrome will automatically detect and download the latest version
- Click Relaunch to complete the update
- Verify: you should see version 150.0.7871.125 or later on Windows
Enterprise Deployment
# Force Chrome update via Google Update (Windows)
$updatePath = "HKLM:\SOFTWARE\Policies\Google\Update"
Set-ItemProperty -Path $updatePath `
-Name "Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" `
-Value 1
# Trigger immediate update check
& "C:\Program Files\Google\Update\GoogleUpdate.exe" /ua /installsource scheduler# Linux — update via package manager
sudo apt update && sudo apt upgrade google-chrome-stable
# macOS — update via brew if applicable
brew upgrade --cask google-chromeIf Patching Is Delayed
- Enable Site Isolation: verify at
chrome://flags/#enable-site-per-process(enabled by default in modern Chrome) - Enable Enhanced Safe Browsing: Settings → Privacy and Security → Security → Enhanced protection
- Restrict untrusted browsing: limit access to known-good sites during the patch window
- Block unknown HTML payloads at the network perimeter where feasible
Detection Guidance
Signs of Exploitation Attempt
Use-after-free exploitation often produces abnormal renderer crashes. Monitor for:
- Chrome renderer process (
chrome.exe --type=renderer) crashing unexpectedly - Windows Event Log: Application crashes for
chrome.exewith access violation exceptions - Chrome crash dumps in
%LocalAppData%\Google\Chrome\User Data\Crashpad\reports\ - Unexpected child process spawning from
chrome.exeoutside normal patterns
Network Indicators
- Visits to recently registered domains delivering complex or obfuscated HTML/JS
- Large inline HTML or script payloads from untrusted external sources
- Unexpected outbound connections from the Chrome process to unknown IPs shortly after page load
Timeline
| Date | Event |
|---|---|
| June 25, 2026 | xinchaotian (Microsoft) reports vulnerability to Google |
| July 14, 2026 | Google releases Chrome 150.0.7871.124/.125 with fix |
| July 14, 2026 | CVE-2026-15773 published to NVD |
| July 15, 2026 | CISA-ADP CVSS 9.6 assessment published |