Google shipped a second emergency Chrome patch in 48 hours on July 16, and every critical fix inside it traces back to Google’s own security team. The Chrome 150.0.7871.128/.129 update closes seven vulnerabilities, three of them critical use-after-free bugs, two days after a July 14 patch fixed six issues, two of them critical.
None of the three critical flaws carries an outside researcher’s name. One of the four remaining bugs does, and it belongs to OpenAI’s internal security team, not a traditional bug hunter. That split is a small preview of who actually finds Chrome’s bugs now.
Seven Bugs, Three of Them Found In-House
Google’s technical program manager, Daniel Yip, laid out the fixes in the company’s bulletin. CVE-2026-15899 hit the CameraCapture component, CVE-2026-15900 hit the GPU process, and CVE-2026-15901 hit Chrome’s networking code. All three are rated critical. All three are use-after-free bugs, memory errors that let an attacker manipulate a program after it has already released memory it was still pointing to.
Google’s own stable channel update notes show the CameraCapture bug was reported May 27, the GPU flaw June 14, and the network bug just six days before the patch shipped, on July 10. Google found and reported all three itself, without help from the outside researchers who normally feed its Vulnerability Reward Program.
| CVE | Component | Severity | Reported By | Date Reported |
|---|---|---|---|---|
| CVE-2026-15899 | CameraCapture | Critical | Google (internal) | May 27, 2026 |
| CVE-2026-15900 | GPU | Critical | Google (internal) | June 14, 2026 |
| CVE-2026-15901 | Network | Critical | Google (internal) | July 10, 2026 |
| CVE-2026-15902 | Cast | High | Google (internal) | June 10, 2026 |
| CVE-2026-15903 | V8 engine | High | OpenAI Codex Security | July 6, 2026 |
| CVE-2026-15904 | Ozone | High | Not disclosed | Not disclosed |
| CVE-2026-15905 | Aura | High | Not disclosed | Not disclosed |
Google says it found no evidence attackers were exploiting any of the seven bugs before the patch shipped. That puts this week’s update in a different category from several Chrome bugs patched earlier this year, which attackers were already using.
OpenAI’s Security Team Found One of Chrome’s Bugs
The fourth bug, CVE-2026-15903, a high severity flaw in Chrome’s V8 JavaScript engine, carries a rarer credit. Google’s release notes list the reporter as OpenAI Codex Security, tagged with the handle amyb, and dated July 6, ten days before the patch shipped.
Google hasn’t said whether AI tools helped it find its own three critical bugs. But the company has spent roughly two years building exactly that kind of capability. Big Sleep, an AI agent built by Google DeepMind and Project Zero, has been hunting real-world software flaws since 2024 and has already stopped at least one critical bug before attackers could weaponize it. A rival AI lab’s security team reporting a bug in Chrome suggests that same kind of tooling is spreading well beyond the company that built it.
Why Chrome’s Bug Bounty Checks Are Getting Smaller
Google restructured its Chrome and Android reward programs earlier this year, and the reason it gave was blunt.
Over the past few years, AI and automation have accelerated the pace of vulnerability discovery, and our teams are moving at an unprecedented rate.
Google’s bug bounty team wrote that line in the announcement restructuring its reward programs this spring. Individual Chrome payouts are shrinking even as Google’s Chrome Vulnerability Reward Program rules add narrower bonuses aimed at bugs AI still can’t reliably find on its own.
- $17.1 million paid to 747 researchers through Google’s Vulnerability Reward Program in 2025, a jump of more than 40% from 2024
- $81.6 million paid out in total since the program launched in 2010
- $250,128 now offered for a demonstrated bypass of MiraclePtr, Chrome’s built-in defense against use-after-free exploitation
- $1.5 million top reward for a zero-click Android exploit, up from $1 million, meant to redirect hunters toward harder targets
A separate industry-run bug bounty program paused new submissions entirely this year, overwhelmed by a flood of AI-generated reports. Google says its own changes are about redirecting researchers toward harder problems rather than cutting costs, and that total payouts should keep climbing even as the price of any single bug falls.
The Browsers Still Waiting on a Fix
Chrome’s fixes don’t automatically protect anyone running a different browser built on the same engine. CVE-2026-15902, the Cast bug patched this week, lives in Chromium, the open source project underneath Chrome and several competitors. Installing Chrome 150.0.7871.128 does nothing for those other browsers.
Each of the following needs its own separate patch, on its own timeline:
- Microsoft Edge, which ships fixes through Windows Update or its own release channel
- Brave, which rebases onto new Chromium code on a schedule of its own choosing
- Opera and Vivaldi, both built on the same rendering and networking stack
- Electron-based desktop apps and the WebView2 runtime embedded in thousands of Windows programs
Enterprise fleets face a slower path too. Chrome installs on shared workstations, kiosks and virtual desktops often run for weeks without a restart, and a browser that never reopens never finishes installing a fix it already downloaded. One of this week’s high severity bugs, a use-after-free in Chrome’s Aura interface framework, still had no public entry in the National Vulnerability Database as of July 17, a gap that can stall patch management tools built around that database.
Chrome’s Patch Rhythm Is About to Get Faster
Chrome has had a rough year regardless of this week’s patches. Google fixed its fifth actively exploited zero-day of 2026 back in June, a V8 flaw reported by an anonymous researcher. That already puts 2026 most of the way to matching 2025’s full-year total of eight exploited zero-days.
None of the seven bugs fixed this week fall into that exploited category, at least not yet. But the pace of patching is about to quicken regardless. Google has said stable Chrome releases will move to a two-week cadence starting in September, roughly halving the current release cycle.
Frequently Asked Questions
Does This Patch Reach Chrome on Android and iOS Too?
Desktop and mobile builds don’t always land the same day. Google has typically shipped Android fixes the same week as desktop and iOS builds a few days apart from both, so mobile users should expect the same protections within days rather than on the exact release date.
Has Either Update Been Added to a Known Exploited Vulnerabilities List?
No. Neither the July 14 nor the July 16 patch addresses a bug currently on CISA’s Known Exploited Vulnerabilities catalog. Earlier in 2026, Chrome zero-days such as CVE-2026-5281 landed on that list almost immediately after disclosure, which is not the case here.
What Is a MiraclePtr Bypass, and Why Is It Worth $250,128?
MiraclePtr is Chrome’s built-in defense against use-after-free bugs, the same bug class behind all three critical fixes this week. It is designed to make freed memory safe to reference instead of exploitable. Google pays the bonus because a working bypass would undercut one of Chrome’s core defenses, not just report a single bug.
Do Edge, Brave and Opera Users Need to Act Separately?
Yes. Each browser ships its own build on its own timeline, so updating Chrome does not patch Edge, Brave, Opera or Vivaldi even though they share the same underlying engine. Check each browser’s own version or about page rather than assuming one update covers them all.
The fix is one click away: open the three-dot menu, let Chrome relaunch, and check for version 150.0.7871.128 or higher. That’s the second relaunch prompt in two days, and with a fortnightly release schedule arriving in September, it won’t be the last.





