Google Chrome Extensions API Integer Overflow Out-of-Bounds Read Vulnerability
Integer overflow in Extensions API in Google Chrome prior to 150.0.7871.115 allowed an attacker who convinced a user to install a malicious extension to perform an out of bounds memory read via a crafted Chrome Extension. (Chromium security severity: High)
Quick answer
Google Chrome should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- Google Chrome before 150.0.7871.115
Fixed versions
- 150.0.7871.115
How to fix it
Google Chrome before 150.0.7871.115 is affected by Extensions API integer overflow out-of-bounds read. Update Chrome and Chromium-based browsers immediately, then force users to restart so the patched browser process is active and the Extensions API fix is actually loaded.
- Update Google Chrome to 150.0.7871.115 or later, or the fixed build distributed by the operating system or enterprise browser channel.
- Force a browser restart across managed endpoints so old vulnerable renderer and browser processes are closed.
- Apply the equivalent update to Chromium-based browsers that may inherit the same affected component.
- Prioritize endpoints used for email, administrator consoles, banking, SaaS dashboards, development, and privileged access.
- Use MDM, Group Policy, endpoint management, or browser cloud management to block outdated Chrome versions.
- Warn users to avoid untrusted links, attachments, extensions, and crafted pages until the Extensions API update is confirmed.
- Review endpoint telemetry for Chrome crashes, exploit alerts, suspicious renderer behavior, or indicators involving Extensions API.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm chrome://version, enterprise inventory, or endpoint management reports Chrome 150.0.7871.115 or later.
- Verify all users restarted Chrome after the update and no stale vulnerable processes remain running.
- Confirm update compliance for Chromium-based browsers and mobile Chrome where applicable.
- Review browser and EDR telemetry for suspicious Extensions API crashes or exploit attempts.
- Run a Fixnx scan and confirm public web properties do not instruct users to keep or install outdated browsers.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-15108?
Google Chrome versions listed as affected should be reviewed: Google Chrome before 150.0.7871.115.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
