CVE-2026-14397: Update Chrome for Mac to 150.0.7871.46

Google fixed CVE-2026-14397 in Chrome 150.0.7871.46 after identifying a Mac-specific out-of-bounds write in ANGLE that could let a remote attacker use a crafted HTML page to potentially escape the browser sandbox. The published affected range covers Google Chrome versions below 150.0.7871.46 on Apple macOS. Chromium labels the flaw Medium, while CISA-ADP assigns it a 9.6 CRITICAL score because the modeled successful attack crosses a security boundary and carries high potential impact to confidentiality, integrity, and availability.
The operational answer for WindowsForum readers is direct: do not open a Windows or Microsoft Edge emergency ticket based on the current record; query managed Macs for Google Chrome versions below 150.0.7871.46. Update those installations promptly and collect post-remediation inventory showing that each device is running version 150.0.7871.46 or later.
The narrow asset filter matters as much as the high external score. The National Vulnerability Database configuration pairs the affected Chrome range with Apple macOS, and the public description identifies Chrome on Mac. Mixed-estate administrators should therefore respond with targeted urgency rather than converting a Mac-specific vulnerability into an unsupported organization-wide browser incident.

A MacBook displays a browser sandbox blocking malicious HTML, with security warnings and software update information.A “Medium” Chrome Bug With Critical Consequences​

CVE-2026-14397 is classified as CWE-787, an out-of-bounds write. At a high level, that means software can write data beyond the memory region it was intended to modify, potentially corrupting adjacent memory and violating assumptions on which program security depends.
The affected component is identified as ANGLE on Mac. According to the published description, a remote attacker could potentially exploit the flaw through a crafted HTML page and escape the browser sandbox. The record does not disclose the vulnerable function, object, allocation, triggering sequence, or implementation path, so more detailed explanations would go beyond the available evidence.
The difference between Chromium’s severity and the CISA-ADP assessment does not require administrators to declare one of them wrong. They are separate published assessments serving different purposes. Chromium records the browser vulnerability as Medium. CISA-ADP supplies the CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H, producing a score of 9.6 CRITICAL.
That vector models a network-reachable attack with low attack complexity, no required privileges, required user interaction, a changed security scope, and high potential impact to confidentiality, integrity, and availability. It describes the modeled consequences of successful exploitation; it does not establish that attacks have occurred.
The record also contains CISA-ADP’s Stakeholder-Specific Vulnerability Categorization values: exploitation is “none,” automatable is “no,” and technical impact is “total.” NVD has not supplied its own CVSS 4.0, 3.x, or 2.0 assessment. The 9.6 score must therefore be attributed to CISA-ADP rather than described as an NVD score.
Assessment sourceResultOperational meaningWhat it does not establish
Chromium security severityMediumChromium classifies the Chrome vulnerability as MediumThat administrators can safely postpone remediation
CISA-ADP CVSS 3.19.6 CRITICALThe modeled attack requires user interaction but crosses a security boundary and has high potential impactThat exploitation has been observed
CISA-ADP SSVCExploitation: none; automatable: no; technical impact: totalThe supplied record identifies no exploitation and does not categorize exploitation as automatable, while recognizing the highest technical-impact categoryThat the flaw is harmless or requires no action
NVD CVSS assessmentNot providedNVD has not supplied its own CVSS assessmentThat CISA-ADP’s 9.6 score was authored by NVD
The useful reconciliation is straightforward: CVE-2026-14397 has potentially severe consequences if exploitation succeeds, but the supplied record identifies no exploitation and provides a narrow affected configuration. That supports prompt, scoped remediation rather than either complacency or an unsupported all-platform emergency.

The Published Technical Detail Is Narrow​

The confirmed technical statement is limited but sufficient for exposure management. CVE-2026-14397 is an out-of-bounds write in ANGLE on Mac that can be reached through crafted HTML and could potentially enable a Chrome sandbox escape.
Browser sandboxing is intended to contain code that processes untrusted web content. The potential escape language indicates that the modeled result can cross a security boundary rather than remain confined to the initially affected context. CISA-ADP’s changed-scope metric is consistent with that consequence.
The record does not specify what access would follow a successful escape. It does not support claims about a particular privilege level, persistence technique, credential-theft capability, or complete takeover of the Mac. “Potential sandbox escape” should be reported as published rather than expanded into a more specific post-exploitation narrative.
Administrators also should not infer undisclosed prerequisites involving particular Mac models, graphics hardware, drivers, memory layouts, Chrome settings, or workload types. Those conditions are not established in the supplied information.

What we do not know​

The public material supplied for this report does not provide a proof of concept, crash signature, vulnerable source path, trigger sequence, network indicator, endpoint indicator, or other CVE-specific detection artifact. It also does not identify the exact ANGLE execution path or graphics operation involved. Defenders should therefore use version-based exposure management: a Mac running Google Chrome below 150.0.7871.46 is within the published affected range, while version 150.0.7871.46 or later is outside that range.
Being outside the published affected range is the correct remediation criterion for this CVE. It should not be described as independent proof that every possible browser deployment condition, running process, management status, or unrelated security issue on the endpoint is resolved.

Exact Asset Scope and Remediation Threshold​

The strongest operational value in the record is its precise filter:
  • Operating system: Apple macOS.
  • Application: Google Chrome.
  • Affected version: Earlier than 150.0.7871.46.
  • Remediation threshold: Version 150.0.7871.46 or later.
Administrators should query the full managed Mac population, including executive devices, design and media systems, development machines, test labs, remote endpoints, contractor equipment under management, and Macs assigned to users who primarily work in Windows-centered environments.
If the organization cannot report browser versions by operating system, the immediate issue is an inventory gap. The response should focus on obtaining reliable Mac browser-version data rather than estimating exposure from device counts or generic browser-installation records.
The public vulnerability record provides the affected platform and version boundary, but it does not prescribe a universal update workflow. Organizations should deploy a current supported Chrome build through their established Mac software-management process and verify the resulting installed version. Individual users should follow the organization’s approved Chrome update procedure rather than relying on an undocumented sequence presented as part of the CVE record.
Administrators should treat 150.0.7871.46 as a minimum threshold, not as a version on which the estate must remain. If a later supported Chrome release is available through the normal deployment channel, that later release is also outside the published affected range.
A useful enterprise workflow produces three concrete results:
  1. A list of managed Macs on which Google Chrome is installed.
  2. The Chrome version reported for each Mac.
  3. Post-remediation evidence showing version 150.0.7871.46 or later.
Where inventory is stale, the endpoint should remain in an unknown-status group until a current version can be obtained. “Not yet checked” is not the same as “not affected.” Offline and intermittently connected Macs should have assigned owners and follow-up dates rather than disappearing from the remediation report.
Management systems also vary in how they represent downloaded packages, installed application versions, user sessions, and running processes. The CVE record does not define those product-specific semantics. Administrators should base closure on trustworthy post-deployment version evidence rather than assuming that a generic “update sent” or “deployment successful” status proves the browser has moved outside the published range.

Action checklist for admins​

  • Query managed Apple macOS devices for installations of Google Chrome.
  • Identify every Mac reporting a Chrome version below 150.0.7871.46.
  • Include remote, executive, development, laboratory, creative, contractor, and intermittently connected Macs.
  • Deploy Chrome 150.0.7871.46 or a later supported version through the organization’s approved Mac software-management process.
  • Collect current post-remediation browser-version inventory.
  • Re-query the Mac population to identify failed, stale, offline, or otherwise unverified endpoints.
  • Preserve pre-remediation and post-remediation results as ticket evidence.
  • Assign an owner and documented plan to every exception.
  • Record Chromium’s Medium rating and CISA-ADP’s 9.6 CRITICAL score as separate assessments.
  • Do not describe the 9.6 score as an NVD-authored assessment.
  • Do not mark Windows Chrome, Linux Chrome, Microsoft Edge, or another Chromium-derived browser as affected without product-specific confirmation.
  • Monitor vendor and vulnerability records for changes to the affected configuration or exploitation status.
A practical closure criterion is that no in-scope managed Mac remains below 150.0.7871.46, or that every unresolved device has an identified owner, a documented reason, and an immediate remediation or containment plan.

The Disclosure Record Contains Distinct Assessments​

The CVE record combines material from multiple organizations. Chrome is identified as the CVE source and is associated with the initial submission and later record changes. The available facts do not justify asserting that Chrome independently authored every description field, weakness value, affected-version entry, and reference now displayed across downstream records.
CISA-ADP supplied the 9.6 CVSS 3.1 assessment and the listed SSVC values. NIST added the platform-aware configuration pairing the affected Google Chrome version range with Apple macOS. Those separate contributions explain why vulnerability tools may show different headline labels or attribution details.
Reports should preserve the source of each assessment:
  • Chromium security severity: Medium.
  • CISA-ADP CVSS 3.1: 9.6 CRITICAL.
  • CISA-ADP SSVC: exploitation none, automatable no, technical impact total.
  • NVD CVSS: no NVD-authored assessment supplied in the record.
  • NVD configuration: affected Chrome version range associated with Apple macOS.
Writing that “NVD rates CVE-2026-14397 at 9.6” would misattribute the CISA-ADP score. Writing only that the flaw is Medium would omit a significant external risk assessment. An accurate ticket records both values and then bases action on the affected asset filter, the version threshold, and the current exploitation evidence.

Timeline​

The available change history supports this sequence:
  1. Chrome created the CVE record, establishing the initial Mac-specific ANGLE vulnerability entry.
  2. CISA-ADP added its CVSS 3.1 assessment, assigning a score of 9.6 CRITICAL.
  3. CISA-ADP added SSVC values, recording exploitation as none, automatable as no, and technical impact as total.
  4. NIST added its initial analysis and affected configuration, pairing the vulnerable Chrome range with Apple macOS.
  5. A later SSVC metadata update changed timestamp representation without changing the substantive exploitation, automation, or technical-impact values.
A metadata-only change should not be mistaken for evidence of exploitation or a newly expanded affected scope. Administrators reviewing automated “record modified” alerts should inspect the changed fields before reopening an incident, expanding asset counts, or changing priority.

Version-Based Exposure Management​

Because the supplied public record contains no CVE-specific indicators, the defensible detection and remediation model is based on asset and version data.
A Mac with Chrome below 150.0.7871.46 is within the published affected range. A Mac reporting Chrome 150.0.7871.46 or later is outside that range. Generic browser crashes, graphics activity, page-rendering problems, or common endpoint alerts should not be labeled as exploitation of CVE-2026-14397 without additional technical evidence.
The same standard applies to retrospective investigation. A historical browser crash on a Mac that was running an affected version proves only that a crash occurred on an exposed installation. It does not prove exploitation of this vulnerability.
Security teams can still investigate suspicious browser-related activity under their normal incident-response rules. Unexpected child processes, credential access, persistence, or other malicious behavior may deserve urgent analysis, but the current public information does not identify those events as signatures of CVE-2026-14397.
Until more technical evidence is released, the reliable operational questions are:
  • Was Google Chrome installed on the Mac?
  • Was the reported version below 150.0.7871.46?
  • Has a supported version at or above the remediation threshold been deployed?
  • Does current inventory confirm that version?
  • Are any in-scope Macs offline, unmanaged, stale, or otherwise unverified?
  • Does each unresolved exception have an owner and remediation plan?
This approach avoids speculative analytics while providing a measurable reduction in exposure.

What WindowsForum Administrators Should Report​

A concise internal advisory can state:
CVE-2026-14397 is an out-of-bounds write in ANGLE affecting Google Chrome versions below 150.0.7871.46 on Apple macOS. Crafted HTML could potentially enable a browser sandbox escape. Chromium rates the vulnerability Medium; CISA-ADP assigns a CVSS 3.1 score of 9.6 CRITICAL and records SSVC values of exploitation none, automatable no, and technical impact total. NVD has not supplied its own CVSS assessment. Update affected Macs to Chrome 150.0.7871.46 or a later supported version and verify the resulting version through current inventory.
That language preserves the important facts without claiming active exploitation, undocumented detection indicators, or technical details that have not been disclosed.
For ticketing and dashboards, use the exact filter:
FieldRequired value
Operating systemApple macOS
ApplicationGoogle Chrome
Affected versionEarlier than 150.0.7871.46
Remediation threshold150.0.7871.46 or later
Chromium severityMedium
CISA-ADP CVSS 3.19.6 CRITICAL
CISA-ADP exploitation statusNone
Primary actionUpdate and verify current version
Vulnerability scanners and asset tools may normalize product names, operating systems, version ranges, or shared component data differently. Before accepting a finding that falls outside the published filter, administrators should require product- and platform-specific evidence. A match based only on ANGLE, a generic Chromium association, or the CVE’s severity is not enough to establish exposure.
Reports should also distinguish four endpoint states:
  • Affected: A managed Mac reports Google Chrome below 150.0.7871.46.
  • Remediated: A managed Mac reports Google Chrome 150.0.7871.46 or later.
  • Not installed: Current inventory shows that Google Chrome is not installed.
  • Unknown: Inventory is missing, stale, conflicting, or otherwise insufficient.
That separation prevents unknown devices from being counted as safe and gives operations teams a clear queue for follow-up.

The Forward-Looking Test Is Whether the Evidence Changes​

CVE records mature. Vendors may disclose additional technical information, revise affected configurations, publish new version guidance, or update exploitation status. Other browser vendors may separately determine whether their products contain the vulnerable condition.
Security teams should monitor for those changes without writing them into the present record prematurely. A product-specific advisory confirming another affected platform or browser would justify expanding the response. New exploitation evidence would justify reassessing incident priority and retrospective investigation. A disclosed crash pattern, proof of concept, or other technical indicator could support detection engineering beyond version checks.
Until the evidence changes, the executable decision remains simple: identify Macs running Google Chrome below 150.0.7871.46, move them to that version or a later supported release, verify the result with current inventory, document unresolved exceptions, and retain the deployment evidence.
The severity difference provides useful context but does not change that workflow. Chromium’s Medium label does not eliminate the need to remediate, while CISA-ADP’s 9.6 score describes the modeled impact of successful exploitation rather than proving observed attacks.
The durable operational test is therefore not which headline label appears largest in a dashboard. It is whether every in-scope Mac has been moved outside the published affected range—and whether new vendor-backed evidence changes the filter.

References​

  1. Primary source: NVD / Chromium
    Published: 2026-07-11T15:39:54-07:00
  2. Security advisory: MSRC
    Published: 2026-07-11T15:39:54-07:00
    Original feed URL
  3. Related coverage: chromium.googlesource.com
  4. Related coverage: khronos.org
 

Back
Top