Menu

CERT-In’s Critical Chrome Alert Is Becoming a Monthly Habit in India

CERT-In has issued a critical Chrome alert for Windows, Mac and Linux, its fourth warning in 2026, as Google’s patch pace keeps accelerating.

Ishan Crawford 8 hours ago 0 4

CERT-In has warned Chrome users on Windows, Mac and Linux that a single malicious webpage can let an attacker run code on their machine, its fourth such alert in 2026. The advisory, rated critical, flags every Chrome build before version 150.0.7871.114. Google shipped that fix on July 8, one day after a separate update it never explained.

A week before that, Google had already patched 382 other flaws in the same browser. CERT-In has now issued four Chrome warnings since March, roughly one every five weeks, and each one has arrived faster than the last.

CERT-In’s Advisory Covers Every Recent Chrome Build

The agency’s bulletin, filed as CIVN-2026-0359, does not soften the language. It warns that “multiple vulnerabilities have been reported in Google Chrome which could allow a remote attacker to execute arbitrary code,” and lists security bypasses, sensitive data exposure and denial of service among the possible outcomes.

The advisory filed as CIVN-2026-0359 names every end user organisation and individual running Chrome for desktop as the target audience. Its impact assessment points to full system compromise, service unavailability and information disclosure as realistic outcomes, not worst case theory.

Systems are only safe on version 150.0.7871.114 or .115 for Windows and Mac, and 150.0.7871.114 for Linux. Google confirmed the same numbers in its own release notes, where it moved the stable channel to 150.0.7871.114 and .115 on July 8.

Two Patches, One Day Apart, Twenty Seven Flaws

Google actually shipped two updates back to back. Version 150.0.7871.100/101 landed July 7 with no public vulnerability details attached. The next day, 150.0.7871.114/115 arrived with a full list attached: 27 fixes in total, two of them critical.

Both critical bugs, tracked as CVE-2026-15112 and CVE-2026-15129, are use after free flaws. That means the browser kept a pointer to a piece of memory after telling the system it was finished with it, and an attacker who can control what fills that freed memory next can sometimes hijack the process entirely.

One sits in Chrome’s Ozone platform layer, the other in its Views interface framework. Google credits its own engineers with finding both, reported internally on May 29 and June 15.

Thirteen of the 27 fixes overall are use after free bugs, spread across Extensions, Autofill, Payments, WebRTC, Forms and Input. The rest cover uninitialized memory, integer overflow and gaps in how Chrome validates untrusted input from web pages.

None of this is happening in isolation. Chrome 149’s own rollout the previous month had already patched 28 security flaws, including 12 memory-safety bugs, before this cycle even started.

What We Know

  • The fix ships as version 150.0.7871.114 or .115 for Windows and Mac, and 150.0.7871.114 for Linux.
  • Two of the 27 patched bugs, CVE-2026-15112 and CVE-2026-15129, are rated critical.
  • Both critical bugs are use after free defects in Chrome’s Ozone and Views components.

What’s Unconfirmed

  • Google says none of the 27 flaws are known to have been exploited before the patch shipped.
  • Technical detail on several of the bugs remains withheld, so independent verification is limited for now.

That gap between a critical label and no confirmed attacks is not a contradiction. Google routinely withholds specifics until most users have updated, precisely so attackers cannot reverse engineer a working exploit from the patch notes.

This Is CERT-In’s Fourth Chrome Warning Since March

CERT-In has told Indian Chrome users to update four separate times this year. Severity has only climbed.

Advisory Window CERT-In Severity Flagged Components
March 10 High V8 engine, developer tools, media handling
April High risk Web Audio, WebRTC, CSS, Blink rendering
May 28 Critical WebRTC, GPU, QUIC, XR, Chromecast
July Critical Ozone, Views, Extensions, V8, ANGLE

The advisories track a browser shipping fixes faster than it ever has. Google’s own release notes show 382 vulnerabilities patched on July 1 alone, 15 of them critical. Since April, the company has fixed more than 1,400 Chrome vulnerabilities in total, according to an analysis by tech outlet Digitbin, with June and July alone accounting for over 1,000 of those.

PCWorld and Forbes both pointed toward the same likely driver. “Given the sheer number of flaws fixed, it’s likely AI was involved in finding and possibly even addressing them,” PCWorld wrote of the July 1 release. Forbes contributor Davey Winder tied the trend to Google, Apple and Microsoft all leaning on artificial intelligence to hunt bugs faster, noting that Microsoft’s own patch cycle had just delivered 206 fixes of its own.

Zero day exploitation is rising industry wide too. Google’s Threat Intelligence Group tracked 90 zero days exploited in the wild in 2025, up from 78 the year before, with enterprise technology accounting for a record 48% of observed exploitation.

India is not alone in fielding these alerts either. Singapore’s Cyber Security Agency issued its own April alert for a Dawn WebGPU flaw, tracked as CVE-2026-5281, showing the same underlying Chrome release cycle triggers government warnings well beyond India.

What Happens If You Skip the Update?

Skipping the update leaves a Chrome install exposed to bugs that let a malicious webpage run code inside the browser’s own sandbox. On their own, sandboxed bugs stay contained. Chained with a second flaw, they can escape that sandbox entirely, giving an attacker roughly the same access as the person at the keyboard.

Malwarebytes describes the sandbox as a sealed off environment meant to keep malicious activity confined to the browser instead of the wider device. A sandbox escape breaks that containment, turning a browser bug into a whole device problem.

Chrome’s first zero day of 2026, a CSS bug patched in February, showed how that chain plays out beyond a lab. Attackers were already using it to run code inside Chrome’s sandbox before Google had a patch ready.

Security researchers tracking this year’s V8 flaws have made a similar point. An exploited engine bug can turn ordinary browsing into a path for credential theft or malware delivery, especially once it is paired with a second bug or a phishing email.

Updating Takes Less Than a Minute

The fix is already sitting on Chrome’s update servers. Applying it takes four clicks.

  • Click the three dot menu in Chrome’s top right corner
  • Open Settings, then About Chrome, or Help, then About Google Chrome
  • Let the browser download version 150.0.7871.114 or later automatically
  • Relaunch Chrome to finish installing the patch

Chrome usually updates itself in the background, but the fix does not take effect until the browser restarts. Anyone who keeps dozens of tabs open for days at a stretch is often the last one protected, since a stalled extension or a browser that never closes can quietly delay the update.

Google Is About to Double Its Patch Pace

Chrome runs on more than 65% of the world’s browsers, which makes every one of these cycles a global event by default, not just an Indian one.

That cycle is about to move faster. Google plans to shift stable Chrome releases to a fortnightly schedule starting with version 153, cutting the current four week cadence in half, Forbes reported, citing Google’s own announcement of the change.

Chrome 151 is due July 28, four weeks after version 150 shipped. Extended Stable, the channel most large enterprises rely on, still updates only every eight weeks, leaving IT teams a wider gap to close before the next round of fixes lands.

CERT-In’s next Chrome advisory, on current form, is only a few weeks away.

Frequently Asked Questions

Which Chrome version fixes the flaws CERT-In flagged?

Version 150.0.7871.114 or .115 closes the gap on Windows and Mac, and 150.0.7871.114 does the same on Linux. Chrome for Android and iOS received matching fixes in the same release window, according to reporting on the update from PCWorld.

Has anyone actually been attacked through these bugs?

Not according to Google. The company has said none of the 27 vulnerabilities patched on July 8 are known to be exploited in the wild, though it has withheld technical detail on several of them until more users update.

How often does CERT-In warn about Chrome?

At least four times in 2026 so far, in March, April, May and July, with severity climbing from high to critical over that span. That works out to roughly one advisory every five weeks.

What is a use after free bug, in plain terms?

It is a memory error where software keeps a pointer to data it already told the computer it was finished with. If an attacker controls what fills that freed memory next, they can sometimes trick the browser into running their own code instead of the website’s.

Do Chromium based browsers like Edge or Brave need the same update?

Yes. Microsoft Edge, Brave, Opera and Vivaldi all share Chrome’s underlying code and typically ship matching security fixes within days, so users of those browsers should check for updates too, according to multiple security advisories covering this patch cycle.

Written By

Prior to the position, Ishan was senior vice president, strategy & development for Cumbernauld-media Company since April 2013. He joined the Company in 2004 and has served in several corporate developments, business development and strategic planning roles for three chief executives. During that time, he helped transform the Company from a traditional U.S. media conglomerate into a global digital subscription service, unified by the journalism and brand of Cumbernauld-media.

Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *