News Date: 2026-07-15
Google and Mozilla have issued new browser updates addressing critical security weaknesses, giving IT departments another reason to examine how quickly browser patches actually reach employees. The releases cover Chrome 150 and Firefox 152, including vulnerabilities that could create opportunities for memory corruption, security-boundary bypasses and potentially malicious code execution.
Firefox Exploit Code Is Already Public
Mozilla released Firefox 152.0.6 to fix two critical vulnerabilities tracked as CVE-2026-15718 and CVE-2026-15719. The defects involve an invalid pointer in the JavaScript and WebAssembly component and a site-isolation weakness affecting navigation behavior.
Mozilla confirmed that public exploit code exists for both issues, although it had not observed active exploitation at the time of publication. That is not a reason to delay. Once practical technical information becomes available, attackers can study it, improve it and incorporate it into malicious websites or targeted campaigns.
Chrome Corrects Fifteen Security Defects
Google's Chrome update fixes 15 vulnerabilities, including two critical use-after-free flaws in the Ozone component. Additional high-severity problems affect areas such as V8, GPU processing, media, user-interface code and HTML canvas functionality.
The corrected Chrome builds are rolling out as versions 150.0.7871.124 and 150.0.7871.125 for Windows and macOS, with version 150.0.7871.124 available for Linux. Google did not report active exploitation of the patched Chrome vulnerabilities.
What IT Teams Should Do
- Use browser-management platforms to verify deployed versions.
- Force or strongly encourage browser restarts after updates are installed.
- Prioritize systems used for administration, finance and privileged cloud access.
- Check virtual desktop and application-packaging environments for outdated builds.
- Monitor for users running unmanaged or portable browser installations.
I believe browser patching remains deceptively difficult because an update may be downloaded without becoming active until the user restarts the application. A compliance dashboard showing an installed update can therefore provide false confidence.
Browsers now process sensitive corporate applications, identity sessions, documents and untrusted internet content in the same environment. Enterprises should manage them as critical endpoint infrastructure, with measurable patch deadlines and restart enforcement rather than optional user reminders.
