Google has released Chrome 150.0.7871.46 for Windows, Mac, and Linux, sealing a dangerous out‑of‑bounds write in its V8 JavaScript engine. The flaw, tracked as CVE‑2026‑14395, carries a high severity rating and could let a remote attacker execute arbitrary code inside the browser’s sandbox—and possibly beyond it.

A high‑severity flaw in Chrome’s JavaScript engine

The vulnerability sits in V8, the high‑performance JavaScript and WebAssembly runtime that Chrome uses to render pages and run web applications. An out‑of‑bounds write occurs when memory outside the bounds of a predefined buffer is overwritten—a classic memory‑corruption bug that attackers can carefully shape into full code execution. In the worst case, a remote attacker can craft a malicious website that triggers the flaw without any user interaction beyond visiting the page.

Google’s advisory, which typically withholds technical details until most users have updated, notes that CVE‑2026‑14395 is already being actively exploited. The company does not disclose precise attack vectors, but security researchers familiar with V8 weaknesses say that such bugs are often chained with other vulnerabilities to break out of Chrome’s sandbox and gain system‑level privileges.

Chrome 150.0.7871.46 is a priority update. The version number itself tells a story: the jump from the previous stable release (149.x) signals a major milestone packed with patches, and this security fix is the critical cherry on top.

What the patch does—and what it means for Windows users

If you use Chrome on Windows, the update plugs a hole that could let a drive‑by download infect your machine with ransomware, spyware, or a banking trojan. Because Chrome is the most popular browser on the platform, the user base is enormous. Attackers prioritize bugs that affect large numbers of people, and CVE‑2026‑14395 fits that bill.

For the average person at home, the risk is immediate. A booby‑trapped ad, a poisoned search result, or a phishing link could redirect to a site that exploits the V8 bug. Once code executes inside the browser, an attacker might attempt a sandbox escape using a separate Windows kernel flaw—but even without that, they can steal cookies, passwords, and authentication tokens stored by Chrome. The recent trend of session‑theft malware makes this a particularly lucrative avenue for cybercriminals.

Power users who juggle multiple profiles, enable experimental Chrome flags, or run extensions with broad permissions should be even more cautious. An out‑of‑bounds write can corrupt the browser’s own memory, potentially bypassing security boundaries that extensions rely on.

The path from V8 bug to system compromise

Memory‑corruption vulnerabilities in browser engines follow a well‑worn chain of exploitation. First, the attacker uses the out‑of‑bounds write to gain read/write primitives—essentially, the ability to read and write arbitrary memory. With that capability, they can manipulate JavaScript objects in a way that allows them to execute shellcode.

Inside the renderer process, they have remote code execution. By default, Chrome’s sandbox limits what that process can do—it cannot directly access the file system, network, or other processes. But sandbox escapes are a separate class of bugs, and known Windows‑specific privilege‑escalation flaws can be bought on the black market or found in unpatched systems. If the attacker combines the V8 bug with a Windows kernel exploit, they can seize control of the entire machine.

Even without a sandbox escape, the renderer compromise is serious. The attacker can steal all data accessible to that tab: session cookies, login credentials, form data, and anything the browser can see. Chrome’s password manager and sync features make it a high‑value target.

How to check your Chrome version and update now

Updating Chrome on Windows takes less than a minute. Here’s what to do:

  1. Open Chrome.
  2. Click the three‑dot menu in the top‑right corner, then select Help > About Google Chrome.
  3. Chrome will automatically check for updates. If you see a version number lower than 150.0.7871.46, wait for the download to complete.
  4. Click Relaunch to finish the update.

After relaunching, go back to the About page to confirm that you are on 150.0.7871.46 or later. The exact version may appear as 150.0.7871.46 (Official Build) (64‑bit) or similar, depending on your system.

If you have multiple profiles, repeat the process for each one—different profiles might run under different Chrome installations. Also check any companion browsers that share the Chromium engine, such as Microsoft Edge, Brave, or Opera. Edge, for instance, receives its own Chromium patches on a separate schedule, but it will likely incorporate this V8 fix quickly.

What IT admins and developers must do

For system administrators managing fleets of Windows devices, the update must be deployed as a high‑priority patch. Use these techniques:

  • Group Policy: Set the Chrome update policy to force automatic updates and prevent users from pausing them. The administrative template can be configured to apply the update at the next restart.
  • SCCM / Intune: Package the latest Chrome Enterprise MSI (version 150.0.7871.46) and push it to all managed endpoints. Intune’s Windows Update settings can also manage Chrome updates if you’ve configured them.
  • Chrome Browser Cloud Management: In the Google Admin console, navigate to Devices > Chrome > Settings > Chrome updates and set the release channel to Stable. Review the “Update notifications” option to alert users.

Developers who embed Chromium in their own applications via Electron, CEF, or similar frameworks should track the upstream commit that fixes CVE‑2026‑14395 and rebase their projects immediately. If your software processes untrusted web content—such as a custom browser, a web‑based editor, or a desktop app with an embedded web view—it likely inherits this V8 vulnerability. Patching now prevents your users from being exposed even if they haven’t updated their standalone Chrome.

The V8 engine under the microscope

V8’s complexity makes it a frequent target. The engine compiles JavaScript into native machine code, performing just‑in‑time optimizations that sometimes introduce subtle memory errors. Out‑of‑bounds writes can result from incorrect bounds checking in optimized code paths, especially when the engine handles typed arrays or heavily inlined functions.

Google’s security team routinely finds and fixes V8 bugs through internal fuzzing and external bug‑bounty programs. CVE‑2026‑14395 is the third high‑severity V8 issue patched this year—a reminder that the attack surface is large and actively researched by both defenders and adversaries. The Chromium project’s vulnerability disclosure process means that the technical write‑up for this bug may appear on the Chromium bug tracker in a few weeks, once a large percentage of users have updated.

What to watch next

Microsoft’s Security Response Center has not yet issued any advisory related to CVE‑2026‑14395, but Windows users should keep an eye on Edge’s update channel. Because Edge leverages the same Chromium rendering engine, it likely contains the same vulnerable code. Historically, Microsoft has shipped fixes for critical Chromium flaws within a day or two, often silently incorporating the patch into a cumulative security update.

Also watch for reports of widespread exploitation. If this vulnerability is being used in watering‑hole attacks or malvertising campaigns, additional layers of defense—like network‑based threat detection and browser isolation—become urgent. For now, the most effective shield is a fully updated Chrome, combined with Windows’ own mitigations such as Control Flow Guard and Arbitrary Code Guard.