Google has quietly pushed out a critical security patch for the Chrome browser on Windows, macOS, and Linux, fixing a memory corruption bug that could let attackers hijack your PC simply by luring you to a booby-trapped website. The update, tagged as Chrome 150.0.787 in the Stable channel and released on June 30, 2026, addresses CVE-2026-13799, a high-severity use-after-free vulnerability in the QUIC networking protocol. With no evidence yet of active exploitation, the urgency stems from the flaw’s potential to enable remote code execution and sandbox escape — two ingredients that often combine in real-world drive-by attacks.

What Just Got Fixed

The sole security fix in this update is CVE-2026-13799, reported by an external researcher whose name Google has not disclosed. Use-after-free bugs occur when a program continues to reference memory after it has been freed, leading to memory corruption. In QUIC, Chrome’s implementation — which handles HTTP/3 traffic and speeds up connections — a specifically crafted network packet could trick the browser into accessing freed memory, potentially allowing an attacker to inject and run malicious code. Because QUIC operates at a low level in the networking stack, a successful exploit might bypass Chrome’s sandbox protections.

Google has assigned a “High” severity rating, meaning the bug can be used to compromise the underlying system with little user interaction. The company hasn’t disclosed whether the flaw allows code execution with the privileges of the sandbox or if it requires a sandbox escape to fully own the machine. However, typical “High” rating for use-after-free in network components indicates the potential for sandboxed code execution and the possibility of chaining with a privilege escalation to escape entirely. For now, Google is holding back technical details until the majority of users have applied the update.

The Risk Is Real — Even Without Exploits in the Wild

Even though Google says it is “not aware of active exploitation,” the history of QUIC-related flaws demands quick action. In 2025, attackers exploited a similar use-after-free in QUIC (CVE-2025-12345) within days of its disclosure. And use-after-free bugs are notoriously reliable for crafting exploits because they corrupt heap memory in predictable ways. Combined with the fact that QUIC is enabled by default in Chrome and is used by nearly every major website (including Google, YouTube, and Cloudflare-backed sites), a proof-of-concept weaponized exploit could spread fast. The June 30 patch arrived just four days after Chrome 150’s initial rollout, suggesting Google considered this serious enough to break its typical bi-weekly patching cadence.

What This Means for You

If You’re a Home User

Check your Chrome version now. Chrome updates automatically in the background, but the update may not install until you restart the browser. You can force an immediate check: click the three-dot menu → Help → About Google Chrome. The About page will trigger a download if your version is older than 150.0.787. Once installed, click “Relaunch” to finish. If you see a colored update button in the top-right corner, that also means a restart is pending.

Consider enabling “Enhanced protection” in Chrome’s settings (chrome://settings/security) — this sends suspicious URLs to Google Safe Browsing for real-time analysis and may block exploit sites before a patch is applied. While not a silver bullet, it raises the bar against zero-day attacks.

For IT Administrators

This is a high-priority patch. Deploy it across your entire fleet using your standard update mechanism (Group Policy, SCCM, or through the Chrome Browser Cloud Management). The update does not require a server redirect because it’s the same Stable channel version. You can download the enterprise installer (MSI) directly from Google’s website. Be aware that the fix may also be bundled with Chrome 150’s new features — including changes to password manager UI and AI-powered phishing detection — so test it on a pilot group if you have strict compatibility requirements. But given the security severity, you should aim for a 24-hour rollout.

If you use Chrome’s legacy browser extension or run Chrome alongside other Chromium browsers (Edge, Brave, Opera), those browsers will likely receive their own patches if they incorporate the same QUIC stack. Edge’s next update will probably include this fix, but Microsoft has not yet confirmed. In the meantime, consider enabling the “Block third-party cookies” or “Strict” tracking prevention as a temporary mitigation, though that won’t stop QUIC-level attacks.

For Developers

If you’re building web apps or services that rely on QUIC/HTTP3, test your endpoints against Chrome 150.0.787 to ensure no regressions. Google’s QUIC stack is used internally, and this fix might slightly alter connection behaviors. Also, if you maintain your own Chromium fork, apply the patch from the stable branch to your codebase.

How We Got Here

QUIC (Quick UDP Internet Connections) was originally designed by Google in 2012, standardized by the IETF in 2021, and became the foundation of HTTP/3. Chrome has shipped with QUIC enabled by default since 2021. While QUIC offers lower latency and better multiplexing, its complexity has introduced new attack surfaces. In 2022, Chrome fixed a critical heap buffer overflow in QUIC (CVE-2022-1096) that was exploited in the wild. In 2024, researchers from Citizen Lab uncovered a QUIC session migration flaw used by a commercial spyware vendor. Each major incident prompted Google to tighten memory handling in the QUIC stack, but use-after-free remains a persistent challenge, especially when processing fragmented or malformed QUIC packets.

Chrome 150 itself arrived on June 24, 2026, with a slew of UI refreshes and behind-the-scenes performance boosts. The CVE-2026-13799 patch was not originally planned; it was pulled into the stable branch as a security-only release, a pattern Google uses when a serious bug is discovered shortly after a version launch. The patch landed in Chrome 150.0.787, bumping the build from 150.0.786 to 150.0.787 on Windows/macOS/Linux.

Action Steps: How to Patch Now

  1. Check your current version
    Open Chrome and look at the three-dot menu; if you see “Update” or a green/orange arrow, restart the browser to apply.
    Alternatively, navigate to chrome://settings/help — it will show the current version and start an update if needed. The fixed version reads “150.0.787” (the exact build number may end with a revision like .100 — accept any build above 150.0.787).

  2. Install the update
    If you’re on Windows or Mac, Chrome downloads the update in the background. Force it by closing all Chrome windows and reopening, or use the “Relaunch” button on the About page.
    On Linux, use your package manager: sudo apt upgrade google-chrome-stable (Debian/Ubuntu) or dnf upgrade google-chrome-stable (Fedora). Verify the version with chrome://version.

  3. Restart and verify
    After relaunching, revisit chrome://settings/help to confirm the version reads 150.0.787 or higher. The security fix will be applied.

  4. Corporate environments
    - Download the offline installer from the enterprise update site (MSI or PKG).
    - Push through Group Policy or third‑party deployment tools.
    - Enforce automatic updates via the ChromeUpdatesPolicy setting.
    - Remind employees to restart Chrome at end of day if the update hasn’t been applied.

  5. Stay informed
    Monitor Google’s Chrome Releases blog for any updates on active exploitation. If evidence of in-the-wild attacks emerges, Google may release a more detailed technical bulletin.

What to Watch Next

Google typically lifts the veil on technical details once the majority of users have patched, often within two weeks. Expect a blog post from the Chrome Security Team explaining the root cause and crediting the finder. Given the high severity, CISA might add this CVE to its Known Exploited Vulnerabilities catalog if exploitation appears. Additionally, Apple and Microsoft will likely port the QUIC fix to their WebKit and Edge browsers, respectively, so keep an eye on updates from those companies. In the longer term, this incident may fuel further hardening of QUIC in Chromium, perhaps moving more QUIC parsing to a dedicated, sandboxed process — a change Google has experimented with before.