CVE-2026-13778: Update Chrome for macOS to 150.0.7871.47

Google Chrome on macOS before version 150.0.7871.47 is affected by CVE-2026-13778, a use-after-free vulnerability in WebUSB that can allow a local attacker using a malicious peripheral to execute arbitrary code. The published record does not establish that Chrome on Windows or Linux, Microsoft Edge, or every Chromium-based browser is affected. For WindowsForum readers managing mixed fleets, the priority is precise: remediate Chrome on Macs immediately without expanding the alert beyond the evidence.

What to do​

  • Affected: Google Chrome on macOS earlier than 150.0.7871.47
  • Fix: Update Chrome to 150.0.7871.47 or later
  • Not established as affected: Chrome on Windows or Linux
  • Temporary precaution: Do not connect untrusted USB peripherals until remediation is confirmed
  • Mac users: Open Chrome, enter chrome://settings/help—or select Chrome menu > Help > About Google Chrome—confirm version 150.0.7871.47 or later, and relaunch Chrome

A laptop displays a Chrome security shield, while a locked USB drive sits beside it.Chrome’s Browser Boundary Extends Down the USB Cable​

CVE-2026-13778 is a use-after-free vulnerability in Chrome’s WebUSB implementation on macOS. According to the Chrome-submitted description in the National Vulnerability Database, a local attacker can exploit the flaw through a malicious peripheral and execute arbitrary code on a Mac running an affected Chrome version.
That wording describes a different attack shape from the more familiar browser vulnerability delivered through a webpage, download, or extension. The dangerous input identified by the record comes from a peripheral connected locally to the Mac.
The record does not say that visiting a malicious website by itself is sufficient. It also does not establish that connecting a peripheral alone completes exploitation. The contributed CVSS assessment says user interaction is required, but the publicly available description does not explain the exact interaction or trigger sequence.
That distinction is important. Defenders should neither minimize the vulnerability because its vector is local nor fill gaps in the record with an imagined attack scenario. The facts support a concise description: affected Chrome code on macOS can be reached through a malicious peripheral, user interaction is required, and successful exploitation can result in arbitrary code execution.
The vulnerability carries a Chromium security severity of Critical. Separately, the CISA-ADP assessment supplies a CVSS 3.1 base score of 7.8 HIGH, using the vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.
Those values are not necessarily contradictory. The Chromium severity is a product-security classification, while CVSS represents standardized characteristics in a numerical score. In this case, the local attack vector and required user interaction constrain the CVSS score even though the stated outcome and potential impacts remain severe.
The central operational point is therefore straightforward: local does not mean harmless. The attack path is limited by physical or local-device conditions, but the CVE’s stated result is arbitrary code execution.

What the Record Says—and What It Does Not​

The vulnerability is classified as CWE-416, Use After Free. This weakness occurs when software continues to access an object or memory region after it has been released. In this CVE, the published outcome is arbitrary code execution.
The public record does not provide the complete exploit technique. It identifies the affected component, platform, weakness class, version boundary, malicious-peripheral condition, and possible result, but it does not describe the precise device behavior or browser operations needed to trigger the flaw.
That limitation should produce a focused response rather than speculation.
Administrators do not need a public proof of concept to identify affected installations because the version boundary is explicit. At the same time, the record does not support claims that every USB device can trigger the vulnerability, that exploitation is automatic on connection, or that a specific browser prompt or user action completes the attack.
It also does not establish what form a malicious peripheral would take. It may be reasonable to consider different physical-device scenarios during internal threat modeling, but the CVE record itself does not identify adapters, development boards, storage devices, cables, hubs, or any other particular form factor.
The safest user-facing language is consequently broad but restrained: do not connect unknown or untrusted peripherals while Chrome remains below the corrected version.
That precaution is not a substitute for patching. It is a temporary way to reduce exposure to the attack condition described in the CVE while the browser update is being verified.

The Scope Is Unusually Precise​

The affected scope is Google Chrome on macOS before 150.0.7871.47.
The description explicitly identifies Chrome on Mac, and NIST’s affected-product configuration combines the Google Chrome application with Apple macOS. The applicable version range ends immediately before 150.0.7871.47.
Nothing in the supplied CVE record establishes that Google Chrome on Windows or Linux is affected. The same record also does not establish that Microsoft Edge or every other Chromium-derived browser contains the vulnerable platform-specific implementation.
That distinction is particularly relevant to WindowsForum readers. Many Windows administrators also manage Macs used by executives, developers, designers, contractors, or other employees. Those Macs require immediate attention, but this CVE should not be turned into an unsupported all-platform Chrome warning.
Shared Chromium ancestry can justify checking other vendors’ security communications. It cannot, by itself, prove that another browser, operating system, or product version is affected by this specific CVE.
Administrators should therefore use the following scope statement in tickets and internal communications:
CVE-2026-13778 affects Google Chrome on macOS before version 150.0.7871.47. The supplied record does not establish impact to Chrome on Windows or Linux, Microsoft Edge, or all Chromium-based browsers.
Precision prevents two common errors. The first is failing to patch Macs because the organization primarily identifies as a Windows environment. The second is issuing an overly broad alert that assigns the CVE to products not identified in the record.
For mixed-platform organizations, the correct action is targeted and urgent: find Chrome installations on macOS, update them, and verify the resulting version.

“Critical” and “7.8 HIGH” Describe Different Aspects of Risk​

The available assessments can look inconsistent at first glance. The vulnerability has a Chromium security severity of Critical, while the CISA-ADP CVSS 3.1 assessment is 7.8 HIGH. The listed SSVC record reports exploitation as none, automation as no, and technical impact as total.
A shorter comparison helps explain the difference without treating any one framework as a complete risk decision.
Assessment layerPublished valueWhat it establishes
Chromium security severityCriticalThe flaw receives Chromium’s highest security-severity classification
CISA-ADP CVSS 3.17.8 HIGHLocal vector, low complexity, no privileges required, user interaction required, unchanged scope, and high potential confidentiality, integrity, and availability impact
Listed SSVC recordExploitation: none; Automatable: no; Technical impact: totalNo known exploitation is recorded in that assessment, scalable automation is not indicated, and the potential technical impact is severe
NVD scoringNo NIST-authored CVSS score in the supplied recordThe absence of an NVD-authored score does not change the stated affected range or remediation threshold
The CVSS vector provides several concrete facts.
Attack vector: local means the attack is not characterized as directly exploitable across a network under this assessment. The malicious peripheral supplies the local element described in the CVE.
Attack complexity: low indicates that the assessment does not require specialized circumstances beyond the listed preconditions.
Privileges required: none means the CVSS assessment does not require the attacker to begin with authenticated privileges on the vulnerable system. It should not be misread as meaning that no other exploit conditions exist.
User interaction: required establishes that some action by a user is part of the attack conditions. The public record does not identify that action, so guidance should not assert a particular click, prompt, browser page, or connection sequence.
High confidentiality, integrity, and availability impact indicates severe potential consequences. That is consistent with the CVE’s arbitrary-code-execution outcome.
The SSVC designation of technical impact: total reinforces the seriousness of the potential technical effect. It should not be expanded into a guarantee that every successful exploit necessarily produces unrestricted or comprehensive compromise of the entire Mac. The supported outcome is arbitrary code execution, with high potential impact across confidentiality, integrity, and availability.
The SSVC field exploitation: none means no known exploitation is identified in the listed assessment. It is a point-in-time status, not a promise that exploitation will never occur and not a reason to delay remediation.
Likewise, automatable: no does not make the vulnerability unimportant. It indicates that the assessment does not consider the attack readily automatable at scale. That conclusion fits the local malicious-peripheral condition but does not change the need to remove vulnerable browser code.
The scoring frameworks therefore tell a coherent story: the attack path has meaningful constraints, but the potential outcome is serious enough to warrant immediate patching.

The Version Boundary Is the Most Useful Fact​

The Chrome-submitted affected-version data may appear awkward because it references 150.0.7871.47 while also using a less-than boundary at that version. The natural-language description and NIST configuration analysis resolve the practical question: versions earlier than 150.0.7871.47 are affected.
The remediation threshold is therefore:
  • Earlier than 150.0.7871.47: affected
  • 150.0.7871.47 or later: outside the published vulnerable range
Administrators should normally deploy the newest approved stable Chrome version available to their organization rather than intentionally stopping at the minimum corrected build. For this CVE, however, 150.0.7871.47 is the concrete threshold that determines whether an installation remains in the affected range.
Verification matters. A deployment job, software catalog entry, or completed administrative task is not the same as confirming the version that Chrome reports after updating.
Google Chrome Help documents the individual update procedure. On a Mac:
  1. Open Google Chrome.
  2. Enter chrome://settings/help in the address bar, or open the Chrome menu and select Help > About Google Chrome.
  3. Read the version number displayed under the Google Chrome heading.
  4. Confirm that the installed version is 150.0.7871.47 or later.
  5. If Chrome presents a pending update, allow it to complete.
  6. Select Relaunch to apply the available update.
  7. Return to the About page and verify the version again.
Google’s instructions state that Chrome checks for updates from the About page and that the Relaunch action applies an available update. That official procedure supports both the version check and the requirement to restart the browser when an update is pending.
If a managed Mac cannot update, the user should contact the organization’s administrator rather than trying to bypass management controls. The security objective remains the same: the running browser must report 150.0.7871.47 or later.

The WindowsForum Angle: Patch the Macs Without Expanding the CVE​

The practical challenge for Windows-focused administrators is not a Windows vulnerability. It is accurately finding and remediating the Macs that exist inside a predominantly Windows-managed organization.
A team may have excellent visibility into Windows browser versions while handling Macs through a separate management product, administrative group, or inventory workflow. CVE-2026-13778 is a reason to check that Mac-specific view immediately.
The response should remain tied to the published evidence:
  1. Identify managed Macs.
  2. Determine which of those Macs have Google Chrome installed.
  3. Compare the reported Chrome version with 150.0.7871.47.
  4. Update installations below that threshold.
  5. Confirm the browser reports the corrected or a later version.
  6. Follow up on devices that cannot be verified.
Do not add Windows Chrome installations to the affected count solely because they run Chrome. Do not label Edge vulnerable solely because it uses Chromium. Do not assume Linux is affected because the component name is shared across platforms.
If another browser vendor publishes its own advisory linking a product and platform to this vulnerability, administrators can expand the scope based on that evidence. Until then, the confirmed scope remains Chrome on macOS.
This precision also improves user communication. A focused notice to affected Mac users is more actionable than a general warning claiming that every Chromium browser or USB-equipped computer is vulnerable.
A concise internal message could read:
Google Chrome on macOS must be updated to version 150.0.7871.47 or later to remediate CVE-2026-13778. Until the update is confirmed, do not connect untrusted USB peripherals. This notice does not identify Chrome on Windows or Linux, Microsoft Edge, or every Chromium-based browser as affected.
That wording communicates urgency without overstating the available evidence.

The Public Record Is Short but Sufficient for Remediation​

NVD lists June 30, 2026 as the CVE’s publication date. That date belongs to the NVD record. The supplied facts do not establish that Google published its advisory or released the corrected Chrome build on that same date, so those events should not be assigned a date without separate evidence.
The record also includes the key details needed for action:
  • The affected product is Google Chrome.
  • The affected platform is macOS.
  • The vulnerable versions are those before 150.0.7871.47.
  • The affected component is WebUSB.
  • The weakness is CWE-416, Use After Free.
  • The attack vector is local.
  • A malicious peripheral is involved.
  • User interaction is required.
  • Privileges are not required under the contributed CVSS assessment.
  • The stated outcome is arbitrary code execution.
  • The Chromium security severity is Critical.
  • The CISA-ADP CVSS 3.1 score is 7.8 HIGH.
  • The listed SSVC record reports exploitation as none, automation as no, and technical impact as total.
A long publication chronology adds little to those facts. The operational decision does not depend on reconstructing each database-enrichment event. It depends on finding affected Macs and moving their Chrome installations across the fixed-version boundary.
Administrators should also distinguish between the absence of known exploitation in the listed SSVC assessment and the absence of risk. The record supports an orderly response rather than panic, but the combination of arbitrary code execution and Critical Chromium severity does not support postponement.

Patch First, Then Apply the Temporary Peripheral Precaution​

The direct remediation is a Chrome update. This is not presented in the supplied record as a macOS operating-system fix, a Windows update, a firmware update, or a generic Chromium patch.
The peripheral precaution is narrower. Users whose Macs have not yet been confirmed at 150.0.7871.47 or later should avoid connecting unknown or untrusted USB peripherals.
That guidance should remain simple. The available facts do not support an elaborate list of supposedly dangerous device types, affected workplaces, investigation steps, or device-history indicators. Nor do they establish a reliable way to identify a malicious peripheral by appearance.
The browser version is the measurable control. An administrator can determine whether Chrome is earlier than the corrected threshold and can verify when that condition has been removed.

Action checklist for administrators​

  • Inventory Google Chrome installations specifically on macOS.
  • Flag every Chrome version earlier than 150.0.7871.47.
  • Deploy an approved Chrome release at 150.0.7871.47 or later.
  • Have users relaunch Chrome when the update is ready to be applied.
  • Verify the version through chrome://settings/help or Chrome menu > Help > About Google Chrome.
  • Follow up on Macs whose installed version cannot be confirmed.
  • Tell affected users not to connect untrusted peripherals until remediation is verified.
  • Keep Windows Chrome, Linux Chrome, Edge, and other Chromium browsers outside this CVE’s affected inventory unless product-specific vendor evidence says otherwise.
  • Record the Chromium severity as Critical and the contributed CISA-ADP CVSS score as 7.8 HIGH without presenting them as interchangeable measurements.
  • Treat the listed SSVC “exploitation: none” value as a point-in-time assessment, not as permission to delay patching.
The checklist deliberately separates evidence from assumptions. It uses the version and platform information published in the record while avoiding unsupported claims about how an attacker might package, deliver, or operate a malicious device.

This Is a Mac CVE With a Broader Defensive Lesson​

CVE-2026-13778 should not be described as a Windows Chrome vulnerability on the basis of the supplied evidence. Windows users and administrators should follow the published scope rather than treating a Chrome-on-macOS record as proof of cross-platform exposure.
The vulnerability is still relevant to WindowsForum because Windows administrators often own mixed environments. A security program that patches Windows effectively but overlooks Chrome on managed Macs has not completed the remediation.
The broader lesson is about maintaining accurate boundaries. Product name, operating system, version, attack vector, required interaction, and stated outcome all matter. Removing one of those qualifiers can transform a precise vulnerability notice into an inaccurate general warning.
Here, the complete statement is specific: a use-after-free vulnerability in WebUSB affects Google Chrome on macOS before 150.0.7871.47; a local attacker can use a malicious peripheral, with user interaction required, to execute arbitrary code. No known exploitation is identified in the listed SSVC record, but the potential technical impact is severe.
That is enough information to act decisively without inventing the missing pieces.
Patch Mac Chrome fleets immediately. Verify the browser version after the update. Keep the alert limited to products and platforms supported by vendor or CVE evidence. Until affected Macs are remediated, treat an untrusted USB accessory as active input to the computer—not as an inert object simply because it connects through a cable.

References​

  1. Primary source: NVD / Chromium
    Published: 2026-07-11T15:39:26-07:00
  2. Security advisory: MSRC
    Published: 2026-07-11T15:39:26-07:00
    Original feed URL
  3. Related coverage: wicg.github.io
  4. Related coverage: chromium.org
 

Back
Top