SecurityDeveloper Tools

Firefox 152 and Chrome 150: Patch Your CI Environments

Firefox and Chrome browser icons with security warning shield over a CI/CD pipeline diagram
Both Mozilla and Google shipped critical security patches on July 14-15 2026

Mozilla and Google both shipped critical security patches on July 14 and July 15. For end users on managed devices, auto-update handles it and the story ends there. For developers running pinned browser versions in CI pipelines, Playwright configurations, Electron apps, or Docker-based test containers — this requires a manual audit before someone else’s proof-of-concept becomes your incident.

Firefox 152.0.6: Two Criticals, Both With Public Exploit Code

Mozilla’s MFSA 2026-67 covers two critical vulnerabilities fixed in Firefox 152.0.6. Both have public exploit code available. Mozilla’s official position: "We are aware that exploit code for this is public however we are not aware of any attacks in the wild abusing this flaw." That is not a comfortable place to be, and the window typically narrows fast — the average from public PoC to incorporation in attack toolkits is seven to fourteen days.

CVE-2026-15718 is an invalid pointer in Firefox’s JavaScript: WebAssembly component. An invalid pointer in the WebAssembly JIT can lead to heap corruption and, with public exploit code already circulating, the exploitation path is being actively probed. CVE-2026-15719 is a site isolation bypass in the DOM: Navigation component — the architecture that keeps cross-origin content out of each other’s memory. A bypass here allows reading data from other origins in the same session: session tokens, API responses, anything rendered in adjacent tabs.

The fix is Firefox 152.0.6. Organizations on the enterprise-managed ESR track need Firefox ESR 128.24.6, which contains both patches.

Chrome 150: Two Critical Use-After-Free Bugs in Ozone

Chrome 150 patches 15 security flaws, two rated Critical. Both are use-after-free bugs in Ozone, Chrome’s platform abstraction layer for windowing and graphics on Linux. Use-after-free means the browser accesses memory it has already freed — a primitive that can lead to heap corruption and, in the right conditions, remote code execution or sandbox escape. CVE-2026-15764 and CVE-2026-15765 both require a crafted HTML page plus specific UI gestures, are Linux-specific, and have no public exploit code or confirmed in-the-wild exploitation.

Fixed in Chrome 150.0.7871.124 for Linux and 150.0.7871.124/125 for Windows and macOS. Desktop Chrome auto-updates. The places it does not auto-update are precisely the ones developers control.

The Blind Spot: Developer-Managed Browser Environments

End-user browsers update automatically. Developer tooling doesn’t, and several common setups silently pin you to vulnerable versions.

Playwright and Puppeteer download and cache specific Chromium and Firefox builds. Running npm update updates the package but not the installed browser binaries. Update them separately:

npx playwright install chromium firefox

GitHub Actions runners bundle a preinstalled Chrome, but runner image updates lag current stable by days to weeks. If your workflow installs a pinned Chrome version, it doesn’t auto-refresh.

Electron apps pin a Chromium version per release. Electron 38.x ships with approximately Chromium 148. If your app hasn’t shipped a new Electron release recently, it may be running a pre-patch Chromium. Check what you’re shipping:

node -e "console.log('Electron:', process.versions.electron, '| Chromium:', process.versions.chrome)"

Docker browser testing imagescypress/included, browserless/chrome, and similar — are tagged by version. Pinning tags for reproducibility means no automatic security updates. Pull and re-tag explicitly.

Enterprise Firefox ESR deployments need ESR 128.24.6 specifically. The current release channel version is not the right target for managed enterprise environments. Verify through your policy manager and confirm with about:updates inside the browser.

What to Check Today

  1. Desktop browsers — Firefox at 152.0.6 (or ESR 128.24.6); Chrome at 150.0.7871.124 or later.
  2. Playwright/Puppeteer projects — run npx playwright install to refresh cached browser binaries.
  3. Electron apps — check the Chromium version in your current release; plan an update if it is below Chrome 150.
  4. CI Docker images — update browser testing container tags and rebuild affected images.
  5. Enterprise Firefox ESR — confirm ESR 128.24.6 has been pushed through your policy tooling before end of week.

Mozilla and Google shipping critical patches in the same 48-hour window is not a coincidence — both vendors participate in shared threat-intelligence programs and increasingly coordinate disclosures. Expect this pattern to continue: browser security updates are now rapid-release, and test infrastructure that was stable six months ago needs a standing update process. SecurityWeek’s full CVE list for both releases is the reference to bookmark for your security team’s documentation.

ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *

    More in:Security