Google shipped an emergency patch for Chrome on Windows late Tuesday, closing a dangerous security hole in the browser’s installer that could hand full system control to a local attacker. The fix, arriving in version 150.0.7871.47, tackles CVE-2026-14094, a use-after-free bug that requires immediate action from every Windows user running Chrome.
What the Update Fixes
CVE-2026-14094 is a use-after-free vulnerability tucked inside the Chrome installer for Windows. When a local user runs the installer, a flaw in memory management can be exploited to corrupt the process and execute arbitrary code with the installer’s elevated privileges. Because the Chrome installer runs with SYSTEM or administrator rights to properly set up the browser, successful exploitation grants the attacker those same high-level permissions — essentially the keys to the entire Windows machine.
Google’s advisory confirms the bug can be triggered without any user interaction beyond launching a specially crafted installer. That means a malicious actor who plants a rogue executable on a system — perhaps via a phishing lure or a poisoned drive-by download — could use this flaw to silently escalate from a standard account to full administrative control. No clicking past a UAC prompt is necessary; the vulnerability lives inside the trusted, digitally signed Google software.
The patch in version 150.0.7871.47 replaces the vulnerable installer component. Chrome’s update mechanism delivers it automatically, but because the flaw exists in the installer itself, a full fresh download from Google’s servers also bundles the corrected version. Google has not released a CVSS severity score yet, but based on the access vector (local), the required privileges (low), and the impact (total system compromise), it sits firmly in the “critical” bucket for any environment where attackers might already have a foothold.
Who’s at Risk and What It Means
For Home Users
Every Windows PC running Chrome before version 150.0.7871.47 carries the vulnerable installer. The threat model here is a local attacker — someone already sitting at the keyboard or running code with limited permissions. That covers a surprising array of real-world scenarios: a family member with a guest account, malware that snuck past antivirus, or even a compromised smart-device plug-in. Once the attacker escalates, they can install ransomware, steal passwords, or plant a persistent backdoor.
Home users often postpone updates. This is one you don’t want to sleep on. The attack doesn’t require sophisticated social engineering; a simple double-click on a rigged installer — even one that appears to be a legitimate Chrome setup file — can trigger the exploit. Because the browser itself remains fully up to date, users might not realize the vulnerability still lurks in the installer until they — or an adversary — launch it again.
For IT Administrators
This CVE is a nightmare for managed environments. Many enterprises rely on group policy or deployment tools to push Chrome across fleets. If the network’s golden installer image predates 150.0.7871.47, every new machine or re-image spins up a vulnerable installation. Worse, help-desk technicians who routinely reinstall Chrome to fix unrelated issues could be stepping through a trapdoor without knowing it.
Remote workers using personal Windows laptops under bring-your-own-device policies amplify the risk. A compromised home machine can escalate laterally into corporate resources via VPN. Microsoft Defender or other endpoint detection platforms may not flag the exploit because it peddles a legitimate, signed Google binary. Logs would show a standard Chrome install, not a malware execution.
Admins must immediately verify that every existing Chrome installation — both on endpoints and in deployment repositories — has been updated. This includes checking thin clients, virtual desktops, and any system where Chrome is a secondary browser. Patch management suites should be set to force-install the update, and legacy installer files must be purged.
For Developers and Power Users
Developers who run custom scripts or automated build pipelines that fetch the Chrome installer from a cached location risk reintroducing the vulnerable binary. Continuous integration environments that spin up Windows containers with a pre-installed Chrome are also exposed until the base image is rebuilt. The attack surface here is small but real, especially in shops where developer machines have local admin rights — which, unfortunately, is most places.
The Path to This Patch
Google’s security team moves fast, often patching zero-days within days of discovery. CVE-2026-14094 follows a pattern seen in previous installer-related bugs: a component with elevated privileges doesn’t properly clean up memory, leaving a dangling pointer that can be redirected to malicious code. In 2024, a similar vulnerability in the Mozilla Firefox installer for Windows (CVE-2024-7521) allowed local privilege escalation and was exploited in the wild for weeks before detection. Microsoft’s own MSI installer technology has been a frequent target, with patches flowing almost monthly.
The Chrome vulnerability was reported through Google’s own bug-hunting program, which pays external researchers for responsible disclosure. The company’s advisory credits a researcher identified only as “nexus0v1” for finding the flaw. No details about active exploitation have been publicized, but the gap between disclosure and patch — less than 72 hours — suggests Google considers it serious enough to fast-track.
Historically, use-after-free errors are a favorite among exploit developers because they are relatively easy to trigger and difficult to detect post-compromise. Memory allocators leave freed blocks accessible for a short window, and an attacker can time the reuse to overwrite critical data. Modern mitigations like Control Flow Guard and Address Space Layout Randomization (ASLR) make exploitation harder, but they are not silver bullets, especially for a process that already runs with high integrity.
What You Should Do Right Now
Update Chrome immediately. The simplest step is also the most effective:
- Open Chrome.
- Click the three-dot menu in the top-right corner.
- Go to Help > About Google Chrome.
- Chrome will check for updates and begin downloading version 150.0.7871.47 or later.
- Click Relaunch to apply the update.
Even if Chrome says it’s up to date, manually triggering the check ensures you receive the patched installer. The browser’s background update service can be delayed for hours.
For enterprise environments:
- Retrieve the latest MSI installer from Google’s enterprise download page.
- Update your deployment tools (SCCM, Intune, PDQ Deploy, etc.) with the new package.
- Force a reinstall on critical systems if you can’t confirm the update status.
- Use Group Policy to lock Chrome to auto-update on a strict schedule, and enable the policy to “Allow Chrome to automatically update on the Microsoft system” to prevent users from pinning an old version.
Verify the version: After updating, type chrome://version in the address bar. The first line should read “150.0.7871.47” or higher. If not, repeat the update process.
Watch for anomalous installer behavior: Until you’re patched, avoid running any “chrome_installer.exe” you didn’t download directly from google.com. If your browser prompts you to reinstall or repair, investigate before proceeding — those dialogs can be faked by malware.
Consider a full reinstall for high-risk machines: If a machine has had multiple users or been connected to untrusted networks, the safest route is to uninstall Chrome entirely, delete any residual installer files in %TEMP% or Downloads, and then re-download from Google’s official site. This wipes any tampered installers.
What Comes Next
Google hasn’t said whether CVE-2026-14094 was exploited in the wild before the patch. Historically, the company reveals active exploitation about two weeks after a fix ships, giving defenders a head start. Expect an update to the Chrome release blog in mid-November 2026 with additional details.
Microsoft will likely add detection rules for the exploit technique to Defender for Endpoint within the next few days. If you manage Windows Defender via Group Policy or Intune, ensure your security intelligence updates are flowing.
This episode is a reminder that installer-level bugs remain a powerful weapon. The combination of a trusted application and automatic elevated privileges is too tempting for attackers to ignore. Continuous update management, application allowlisting, and least-privilege principles — where users run as standard accounts and only elevate when necessary — remain the best defenses against these stealthy local attacks.
For now, patch Chrome and breathe easier. The window of exposure on Windows closed the moment version 150.0.7871.47 hit Google’s update servers. But don’t let it be the last update you postpon