Skip to content
feed: live
>_ 0dayNews
CVE Record
[ HIGH ] CVE-2026-15764

Chrome Ozone use-after-free on Linux

Use-after-free in the Ozone platform-abstraction layer on Chrome for Linux. A remote attacker who convinces a user to perform specific UI gestures could exploit heap corruption via a crafted HTML page. Fixed in Chrome 150.0.7871.125.

cat cve-2026-15764.json
Vendor
Google
Product
Chrome for Linux (pre-150.0.7871.125)
CVSS
7.5
EPSS (exploit probability)
N/A
Status
patched
Published

CVE-2026-15764 is a use-after-free vulnerability in Ozone — Chromium’s platform-abstraction layer for window/graphics primitives — on Linux. Per NVD: “a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page.” NVD scores it 7.5 (high); Chromium’s internal severity is marked Critical.

The fix ships in Chrome 150.0.7871.125 for Linux. Chrome auto-updates on relaunch — verify that managed installs actually restarted rather than assuming an “auto-update” checkbox is enough.

See CVE-2026-15765 for the sibling bug in the same release. Full coverage: Firefox exploit code public; Chrome, Adobe patch same day.