Google has shipped an emergency security update to Chrome’s stable channel, fixing a dangerous use-after-free vulnerability in the browser’s navigation system. The patch, tagged CVE-2026-14006, requires every Chrome user on Windows, macOS, and Linux to update past version 150.0.7871.47. Those running older builds are left wide open to remote code execution attacks.
The Patch Arrives: Chrome 150.0.7871.47 and Beyond
The update delivers a single but critical fix. No new features or user-facing changes accompany it. Google’s release notes for the stable channel—published on the Chrome Releases blog—confirm that the defect is a use-after-free in navigation, a class of memory management flaw that can corrupt program logic and let an attacker run malicious code inside the browser’s sandbox. From there, a second exploit could chain out to compromise the operating system.
More than two dozen downstream Chromium browsers inherit the same codebase, so the window of exposure is exceptionally wide. Microsoft Edge, Brave, Opera, Vivaldi, and Samsung Internet are just the most popular of the browsers that must now issue their own patches. Google’s own fix is available as an automatic update for anyone who already runs Chrome; users who don’t see the update yet can trigger it manually.
Understanding Use-After-Free and Navigation Attacks
Use-after-free bugs occur when a program continues to reference a region of memory after it has been freed for reuse. An attacker who can control what fills that memory can redirect execution, effectively hijacking the browser process. In navigation—the code that moves the user from one page to another, handles session history, and processes redirects—a use-after-free is especially treacherous because it can be reached from ordinary web browsing without the user clicking a malicious link.
Google hasn’t yet disclosed technical details of CVE-2026-14006, a standard practice it follows to give users time to patch. But a brief mention in the Chrome release notes says the vulnerability was reported by an external researcher, and the issue is tracked as “High” severity. That rating, combined with the “use-after-free” label, suggests that remote code execution is a realistic outcome, even if the company hasn’t confirmed exploitation in the wild.
Immediate Steps for Windows, Mac, and Linux Users
Chrome’s built-in updater should fetch and install version 150.0.7871.47 (or later) within a few hours of the release. To be safe, open the browser, click the three-dot menu, go to Help > About Google Chrome, and let the checker run. If the current version shows any number below 150.0.7871.47, an update will begin immediately. Restart the browser to complete the process.
Enterprise administrators who manage Chrome via Group Policy or an update management tool should verify that the automatic update policies are not blocking the patch. The same version number marks the security baseline for Chrome component updates and for the WebView2 runtime, which many desktop applications embed for web content. IT teams should audit their software inventory and push the WebView2 runtime update as well.
Users of other Chromium-based browsers need to check each browser’s own update mechanism. Microsoft Edge, for example, will ship its fix through Windows Update or its in-browser updater. Brave and Opera maintain independent release cycles but generally follow Chrome’s security patches within a day or two. Until every Chromium browser on a device is updated past the corresponding version number, the device remains at risk.
How We Got Here: Chrome’s Security Update Cadence
Chrome’s rapid release cycle—a new major version every four weeks—normally includes a batch of security fixes. Critical zero-day vulnerabilities, however, receive an out-of-band or expedited release. CVE-2026-14006 is one of those: it was patched just days after it was reported, a turnaround that suggests Google treated it as urgently exploitable.
This isn’t the first time a use-after-free in navigation has forced an emergency patch. Chrome’s V8 JavaScript engine and its rendering pipeline have been recurring sources of similar flaws, but navigation bugs are less common. Each one reinforces why the browser’s defense-in-depth strategy—sandboxing, site isolation, and on-demand updates—is essential.
What to Watch Next
Within the next few days, expect the Chromium open-source project to update its repository with the fix, allowing all downstream browsers to pick up the patch. Once a critical mass of users is protected, Google will likely publish a full advisory with a technical write-up. Security researchers and red teams will then reverse-engineer the flaw, and exploit code may surface. Regular users don’t need to follow that detail, but they do need to make sure they’re on the latest version before that happens.
For now, the most important action is the simplest: check your browser version, update if needed, and restart Chrome. A few seconds now prevents a much messier cleanup later.