Chrome 147 and Firefox 150 Security Updates Address Critical Browser Flaws
Google and Mozilla released critical security updates on April 29, 2026, patching multiple high-severity vulnerabilities in Chrome 147 and Firefox 150 that could allow attackers to execute arbitrary code on victim systems. The browser updates target flaws that security researchers identified as posing significant risks to enterprise and consumer users across all major operating systems.
Chrome 147.0.6123.58 addresses eight security vulnerabilities, including three rated as critical severity with CVSS scores exceeding 8.0. The most severe flaw affects the browser's JavaScript V8 engine, where improper memory handling could allow remote attackers to trigger heap corruption and gain code execution privileges. Google's security team confirmed the vulnerability impacts all Chrome installations running versions 146.x and earlier across Windows, macOS, Linux, and ChromeOS platforms.
Mozilla's Firefox 150.0 update simultaneously patches six security issues, with two classified as critical remote code execution vulnerabilities. The Firefox flaws center on memory safety bugs in the browser's rendering engine and WebAssembly implementation. Mozilla engineers discovered these issues during internal security audits and coordinated the disclosure with Google to ensure synchronized patching across the browser ecosystem.
Both vendors emphasized the severity of these vulnerabilities stems from their potential for exploitation through malicious websites or compromised web content. Attackers could craft specially designed web pages that trigger the vulnerabilities when users visit infected sites, potentially leading to full system compromise without requiring user interaction beyond normal browsing activities. The vulnerabilities affect both desktop and mobile browser versions, expanding the potential attack surface to billions of devices worldwide.
Security researchers noted that the timing of these updates coincides with increased browser-based attack campaigns observed throughout April 2026. Threat intelligence firms have documented a 40% increase in exploit kit activity targeting browser vulnerabilities, making these patches particularly critical for organizational security postures. The coordinated release suggests both vendors identified similar attack vectors and worked together to minimize the window of exposure for users.
Widespread Impact Across Enterprise and Consumer Browser Deployments
The vulnerabilities affect all users running Chrome versions 146.x and earlier, along with Firefox versions 149.x and below. Enterprise environments face particular risk due to the prevalence of these browsers in corporate networks, where successful exploitation could provide attackers with initial access to internal systems. Organizations using Chrome for Business or Firefox ESR deployments must prioritize these updates to prevent potential lateral movement attacks.
Google estimates approximately 3.2 billion Chrome installations require the security update, spanning Windows 10/11, macOS Monterey through Sonoma, Ubuntu 20.04+, and ChromeOS devices. The vulnerability affects both 32-bit and 64-bit architectures, with no configuration-based workarounds available to mitigate the risk without applying the full security patch. Mobile Chrome users on Android 8.0+ and iOS 14+ also need the corresponding mobile browser updates.
Firefox's user base of approximately 200 million installations faces similar exposure, with the vulnerabilities affecting Firefox 149.x and earlier across all supported platforms. Mozilla's Extended Support Release (ESR) channel, commonly deployed in enterprise environments, requires immediate attention as ESR 128.x versions contain the same underlying flaws. Educational institutions and government agencies using Firefox as their standard browser face elevated risk due to the potential for widespread compromise through a single malicious website visit.
The arbitrary code execution capabilities of these vulnerabilities mean successful exploitation could lead to complete system compromise, including credential theft, malware installation, and data exfiltration. Security teams should treat these updates with the same urgency as operating system security patches, particularly in environments where browsers access sensitive internal applications or cloud services with stored authentication tokens.
Immediate Patching and Mitigation Steps for IT Teams
Chrome 147.0.6123.58 deploys automatically through Google's standard update mechanism, but IT administrators should verify successful installation across managed fleets. Enterprise environments using Google Admin Console can force immediate updates by navigating to Device Management > Chrome > Settings > User & Browser Settings and enabling 'Auto-update Chrome browser'. Organizations can verify successful patching by checking chrome://version/ on individual systems or deploying PowerShell scripts to query Chrome version information across Windows domains.
Firefox 150.0 requires manual verification in enterprise environments, particularly for ESR deployments. Administrators should access the CISA Known Exploited Vulnerabilities catalog to monitor whether these CVEs receive active exploitation status. Mozilla provides enterprise deployment packages through their FTP servers, allowing centralized distribution through existing software management platforms like SCCM or Jamf Pro.
Network security teams should implement additional monitoring for suspicious browser-based activity while patches deploy. Web proxy logs should be reviewed for unusual JavaScript execution patterns or WebAssembly loading behaviors that could indicate exploitation attempts. Security information and event management (SIEM) systems should be configured to alert on browser crash patterns or unexpected process spawning from browser processes.
Organizations unable to immediately deploy updates should consider temporary mitigation strategies, including restricting browser access to untrusted websites through DNS filtering or web proxy policies. However, these measures provide limited protection against sophisticated attacks and should not replace prompt patching. The Microsoft Security Response Center recommends treating browser vulnerabilities with the same priority as operating system flaws due to their potential for widespread compromise.
Security teams should also review browser extension policies, as malicious extensions could potentially leverage these vulnerabilities for privilege escalation. Chrome's Enterprise Policy templates allow administrators to restrict extension installation and enforce security policies that limit exposure to browser-based attacks while maintaining operational functionality for business-critical web applications.
