Google released Chrome 151 with 382 security fixes on July 1, 2026 — a record single-release patch that includes 15 critical bugs and the actively exploited V8 flaw CVE-2026-11645.
Key Takeaways
Google released Chrome 151 to the stable channel on July 1, 2026, patching a record 382 security vulnerabilities in a single release.
The fixes include 15 critical, 67 high, 169 medium and 131 low severity bugs; 10 of the critical flaws are use-after-free memory-safety issues in core browser components.
CVE-2026-11645, a V8 JavaScript engine flaw, is being actively exploited in the wild and was added to CISA's Known Exploited Vulnerabilities catalogue within hours of release.
The update lands in the same 72-hour window as Adobe's emergency ColdFusion bulletin and the RoguePlanet Microsoft Defender zero-day, creating one of the busiest patch weeks of the year.
Google recommends immediate rollout of Chrome 151.0.7621.71 or later; enterprise admins can enforce the update via Chrome Browser Cloud Management policy.
Kaan Tınmaz
Google shipped Chrome 151 to the stable channel on July 1, patching an enormous 382 security vulnerabilities in a single release. Fifteen carry the critical severity rating, and CISA has already confirmed active in-the-wild exploitation of one of them, CVE-2026-11645, driving a rare mass-patch scramble across enterprises.
The largest single Chrome fix on record
Chrome 151 rolled to Windows, macOS, Linux and Chrome for iOS. Of the 382 fixes, Google flagged 15 as critical, 67 as high, 169 as medium and 131 as low. Ten of the critical bugs are use-after-free flaws across core browser components, a class of memory-safety issue that has been the durable weak point of the Chromium C++ codebase.
Actively exploited zero-day
The standout is CVE-2026-11645, an actively exploited V8 JavaScript engine flaw. CISA added it to the Known Exploited Vulnerabilities catalogue within hours of the release, echoing the same V8 zero-day pattern that hit Chrome in June. Enterprise fleets running Chrome-based agent stacks, ChromeOS kiosks and Electron shells will need to roll the update quickly.
Patch cycle from hell
Chrome 151 lands in the same 72-hour window as Adobe’s emergency ColdFusion bulletin and the RoguePlanet Microsoft Defender zero-day, giving security teams one of the busiest patch weeks of the year. Google recommended immediate rollout of Chrome 151.0.7621.71 (or later) via Chrome Update; enterprise admins can enforce via Chrome Browser Cloud Management policy.
Reporting based on coverage from Google, Cybersecurity News, SecurityWeek and Malwarebytes Labs.
CVE-2026-11645 is an actively exploited flaw in Chrome's V8 JavaScript engine. CISA confirmed in-the-wild exploitation and added it to the Known Exploited Vulnerabilities catalogue within hours of Chrome 151's release, making immediate patching a priority.
How many vulnerabilities does Chrome 151 fix and how severe are they?
Chrome 151 fixes 382 vulnerabilities, the largest single Chrome patch on record: 15 critical, 67 high, 169 medium and 131 low severity. Ten of the critical bugs are use-after-free memory-safety flaws in core browser components.
Which platforms and systems are affected?
Chrome 151 rolled out to Windows, macOS, Linux and Chrome for iOS. Enterprise fleets running Chrome-based agent stacks, ChromeOS kiosks and Electron shells are also urged to update quickly.
What version should organizations deploy and how?
Google recommends immediate rollout of Chrome 151.0.7621.71 or later via Chrome Update. Enterprise administrators can enforce the update using Chrome Browser Cloud Management policy.