Executive Summary
Recent updates to Google Chrome (version 150) and Mozilla Firefox (version 152) have remediated a substantial number of critical vulnerabilities, many of which could enable remote code execution, sandbox escapes, and privilege escalation. While no evidence of exploitation in the wild has been confirmed, the technical severity and attack surface of these vulnerabilities demand immediate attention. This advisory provides a comprehensive technical breakdown, exploitation status, and actionable recommendations for enterprise defenders and executives.
Technical Information
The latest stable release of Google Chrome (150.0.7871.46/47 for Windows/macOS, 150.0.7871.46 for Linux) addresses 382 vulnerabilities, including 15 classified as critical (CVE-2026-13774 through CVE-2026-13788 and additional criticals up to CVE-2026-14427). The most severe issues are use-after-free (UAF) flaws in components such as the Dawn graphics library, ANGLE, Skia, Views, Chromoting, Ozone, Fullscreen, Bluetooth, WebUSB, Browser, and Extensions. Other critical bug classes include type confusion, heap buffer overflows, out-of-bounds reads/writes, and insufficient input validation.
Internally, Google security teams discovered 358 vulnerabilities, with the remainder reported by external researchers. The company awarded nearly $90,000 in bug bounties for these discoveries. Notable critical CVEs include CVE-2026-13774 (UAF in Extensions), CVE-2026-13775 (UAF in GPU), CVE-2026-14398 (UAF in ANGLE), CVE-2026-13776 (Type Confusion in Dawn), and CVE-2026-14427 (Heap buffer overflow in Skia). These vulnerabilities, if exploited, could allow attackers to execute arbitrary code within the browser context, escalate privileges, or escape the browser sandbox to impact the underlying operating system.
Mozilla Firefox 152, released June 16, 2026, resolves over 40 vulnerabilities, including several critical and high-impact CVEs. These include CVE-2026-12289 (privilege escalation in Graphics: WebRender), CVE-2026-12291 (UAF in Networking: HTTP), CVE-2026-12293 (UAF in Graphics: WebGPU), CVE-2026-12294/95/96/97 (multiple sandbox escapes in DOM and Networking), CVE-2026-12299 (JIT miscompilation in DOM: Core & HTML), and CVE-2026-12326/28 (memory safety bugs with code execution potential). The vulnerabilities span use-after-free, sandbox escape, privilege escalation, JIT miscompilation, information disclosure, and memory safety flaws.
Both browsers are high-value targets for attackers due to their ubiquity and the sensitive data they process. Use-after-free and memory corruption vulnerabilities are particularly prized by exploit developers, as they can be chained with sandbox escapes or privilege escalation bugs for full system compromise. The technical complexity of these vulnerabilities underscores the importance of rapid patch deployment and ongoing monitoring for emerging exploit activity.
Exploitation in the Wild
As of the latest advisories and open-source intelligence, there is no evidence of active exploitation of the critical vulnerabilities patched in Chrome 150 or Firefox 152. Neither CVE-2026-13774 (Chrome) nor CVE-2026-12289 (Firefox), nor any other referenced CVEs, are listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of July 2026. This means that, while the vulnerabilities are technically severe and likely to attract attacker interest, there is no CISA-confirmed exploitation at this time. Both Google and Mozilla strongly recommend immediate updates, as browser vulnerabilities are often rapidly weaponized following public disclosure.
APT Groups using this vulnerability
There is currently no public attribution of these vulnerabilities to any specific Advanced Persistent Threat (APT) groups. Open-source reporting and MITRE ATT&CK mappings indicate that the techniques enabled by these vulnerabilities (such as exploitation for client execution, privilege escalation, and sandbox escape) are commonly leveraged by sophisticated threat actors. However, as of this writing, no APT group has been publicly linked to exploitation of the vulnerabilities patched in Chrome 150 or Firefox 152.
Affected Product Versions
The affected product versions are as follows: Google Chrome versions prior to 150.0.7871.46/47 on Windows and macOS, and prior to 150.0.7871.46 on Linux, as well as Mozilla Firefox versions prior to 152 on all supported platforms. Organizations running these or earlier versions are at risk and should prioritize patching.
Workaround and Mitigation
The primary mitigation is to immediately update all instances of Google Chrome to version 150.0.7871.46/47 and Mozilla Firefox to version 152. Enterprises should ensure that browser auto-update mechanisms are enabled and functioning correctly. For high-risk environments, consider additional browser hardening measures, such as disabling unnecessary plugins, enforcing strict content security policies, and leveraging endpoint protection solutions capable of detecting browser exploitation attempts. Continuous monitoring of vendor advisories and threat intelligence feeds is recommended to stay ahead of emerging exploit activity or proof-of-concept releases.
Indicators of Compromise
The following table presents Indicators of Compromise (IOCs) extracted from public advisories and news sources. These IOCs are point-in-time and should be validated in your environment before enforcement.
Type | Indicator | Reported (date) | Source
|
Domain | app[.]opencve[.]io | 2026-06-16 | https://app.opencve.io/cve/?product=firefox&vendor=mozilla |
Domain | chromereleases[.]googleblog[.]com | 2026-07-01 | https://chromereleases.googleblog.com/ |
Domain | www[.]mozilla[.]org | 2026-06-16 | https://www.mozilla.org/en-US/security/advisories/mfsa2026-57/ |
Domain | www[.]pcworld[.]com | 2026-07-01 | https://www.pcworld.com/article/3182088/chrome-150-fixes-nearly-400-security-flaws-including-15-critical-ones.html |
URL | hxxps://app[.]opencve[.]io/cve/?product=firefox&vendor=mozilla | 2026-06-16 | https://app.opencve.io/cve/?product=firefox&vendor=mozilla |
URL | hxxps://chromereleases[.]googleblog[.]com/ | 2026-07-01 | https://chromereleases.googleblog.com/ |
URL | hxxps://www[.]mozilla[.]org/en-US/security/advisories/mfsa2026-57/ | 2026-06-16 | https://www.mozilla.org/en-US/security/advisories/mfsa2026-57/ |
URL | hxxps://www[.]pcworld[.]com/article/3182088/chrome-150-fixes-nearly-400-security-flaws-including-15-critical-ones[.]html | 2026-07-01 | https://www.pcworld.com/article/3182088/chrome-150-fixes-nearly-400-security-flaws-including-15-critical-ones.html |
References
- Chrome Releases Blog (Official)
- PCWorld: Chrome 150 fixes nearly 400 security flaws, including 15 critical ones
- Mozilla Security Advisory MFSA2026-57
- OpenCVE Firefox Vulnerabilities
- LinkedIn Security Post
Rescana is here for you
Rescana empowers organizations to manage third-party risk and supply chain security with our advanced TPRM platform, providing continuous monitoring, automated risk assessment, and actionable intelligence. Our team is dedicated to helping you navigate the evolving threat landscape and strengthen your cybersecurity posture. We are happy to answer any questions at info@rescana.com.


