CVE-2026-13808 Fixed in Chrome for iOS 150.0.7871.47

Google fixed CVE-2026-13808 in Chrome for iOS 150.0.7871.47, closing an insufficient-data-validation flaw that could let a local attacker with physical access to an iPhone or iPad extract potentially sensitive information from the browser’s process memory without requiring privileges or user interaction. The vulnerability is real, but its practical reach is narrower than Chromium’s “High” label initially suggests. It is best understood as a post-access data-exposure risk: dangerous for seized, shared, or otherwise compromised devices, but not a drive-by web exploit threatening every Chrome user on the internet.
The sparse disclosure also exposes a recurring weakness in vulnerability reporting. Google’s release notes establish the fix and Chromium severity, while the National Vulnerability Database and CISA provide the attack conditions; none publicly explains precisely what data can leak, how the defective validation is reached, or whether a locked device is sufficient. That leaves defenders with enough information to patch, but not enough to model the flaw with confidence.

Security illustration showing Chrome on iPhone and iPad, a vulnerability warning, patch notice, and locked-device protections.A High-Severity Bug With a Very Local Blast Radius​

CVE-2026-13808 affects Google Chrome on iOS before version 150.0.7871.47. Google describes it as insufficient data validation capable of exposing potentially sensitive information from process memory, while CISA’s supplemental assessment identifies the weakness as CWE-20, or improper input validation.
The attacker must be local and have physical access to the device. CISA’s CVSS 3.1 vector is AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, producing a score of 4.6, or Medium. In plain English, exploitation requires possession of the target hardware, appears to have low technical complexity, needs no pre-existing account or privilege, and does not require the victim to click or approve anything.
The expected impact is confined to confidentiality. The published vector does not claim that the attacker can modify data, execute code, make Chrome unavailable, escape the browser sandbox, take over iOS, or persist after the device is returned. What it does claim is potentially serious disclosure from the memory of the Chrome process.
Those qualifications matter. “Process memory” can sound like a synonym for “everything on the phone,” but it is not. A browser process may temporarily hold rendered page content, form values, URLs, session-related state, downloaded material, identifiers, search terms, and other data needed for active work. The public record does not establish which of these categories CVE-2026-13808 can actually expose.
It would therefore be irresponsible to declare that the vulnerability steals passwords, authentication tokens, payment information, or browsing history. Those are conceivable examples of sensitive browser data, not confirmed outputs of this particular flaw. Until Google opens Chromium issue 504221510 or publishes a deeper technical explanation, the boundary between plausible and demonstrated impact remains important.
The result is an awkward but defensible verdict: the bug is not broadly exploitable, yet it could be highly consequential in the comparatively rare situations where its prerequisites are satisfied. A vulnerability does not need internet-scale reach to be damaging to a journalist, executive, administrator, activist, traveler, or employee whose unlocked device has fallen into hostile hands.

Chromium’s “High” and CISA’s “Medium” Measure Different Things​

The apparent disagreement between Chromium’s High rating and CISA’s 4.6 Medium score is not evidence that one party made a mistake. It reflects two ways of looking at the same vulnerability.
Chromium’s severity classification is a vendor judgment influenced by the security boundary crossed and the potential consequence inside the product. A flaw that permits extraction of sensitive browser-process data can deserve a strong internal priority even if attackers need unusual access. Google also has reasons to treat memory disclosure seriously because leaked data can sometimes support subsequent attacks, especially when combined with another vulnerability.
CVSS is more mechanical. Physical access sharply reduces the base score because an attacker cannot exploit the bug remotely or at scale. The absence of integrity and availability impact reduces it further. High confidentiality impact raises the result, but not enough to overcome the physical attack vector.
This is precisely why a single severity word is a poor patching policy. A consumer reading “High” might imagine a malicious website silently compromising an iPhone. An enterprise dashboard showing “4.6 Medium” might bury the update behind remotely exploitable server bugs. Both reactions miss the operational context.
For most personally owned iPhones that remain locked and under their owners’ control, CVE-2026-13808 is unlikely to be the week’s dominant security threat. For managed devices used at border crossings, in field operations, in laboratories, or around sensitive corporate information, physical-access assumptions may already be central to the threat model. The same CVE can therefore be routine for one fleet and urgent for another.
CISA’s Stakeholder-Specific Vulnerability Categorization record adds useful restraint. It listed no known exploitation, judged the flaw non-automatable, and described its technical impact as partial. That assessment argues against treating CVE-2026-13808 as a mass-compromise emergency.
It does not argue for ignoring the patch. “No known exploitation” means the available evidence did not establish exploitation when the assessment was produced. It is not proof that exploitation never occurred, and restricted bug details make independent verification difficult.

Physical Access Is a Prerequisite, Not a Complete Threat Model​

The phrase physical access often gets translated into “the attacker needs your unlocked phone.” The published CVE description does not go that far. It says the attacker requires physical access to the device, but it does not publicly specify the lock state, connection method, browser state, device-management configuration, or duration of access required.
That ambiguity is consequential. There is a substantial difference between an attack that works against a locked, current iPhone over a cable and one requiring an unlocked session with Chrome already running. There is another difference between an attack accessible through ordinary user-interface actions and one requiring a development, forensic, or modified-device environment.
CISA’s vector states that no privileges and no user interaction are required, but those fields must be read within the assumed attack environment. “No privileges required” means the vulnerability itself does not demand an authenticated privilege level as represented by CVSS. It does not necessarily mean that every stock, locked iPhone exposes an unrestricted path to Chrome’s private process memory.
Likewise, “no user interaction” means the victim does not need to perform an action after the attack conditions exist. It does not erase the physical-access condition, Apple’s device protections, or any undocumented setup needed to reach the vulnerable code.
The safest interpretation is narrow: once an attacker can physically interact with a device in the required state, exploitation may be straightforward and may not need the victim’s cooperation. Anything more specific would exceed the public evidence.
That matters for incident response. An employee briefly leaving a locked phone on an office desk is not automatically equivalent to an adversary obtaining an unlocked phone for an hour. A device recovered after theft presents a different case again, particularly if the thief may know the passcode, has access to a trusted computer, or can compel the owner to unlock it.
Security teams should avoid turning the CVE into either a universal forensic alarm or an excuse for complacency. The practical response is to patch the browser, preserve existing device-security controls, and escalate investigation only when physical custody was genuinely lost or unauthorized access is otherwise plausible.

Chrome on iOS Is Not Desktop Chrome in a Smaller Window​

The iOS designation is central to this bug, not a cosmetic platform note. Chrome on Apple’s mobile operating systems does not simply transplant the full desktop Chromium architecture onto an iPhone.
As Chromium’s own security documentation explains, Chrome on iOS operates under Apple’s platform restrictions and uses Apple’s WebKit engine rather than the standard Blink rendering engine used by Chrome on Windows, macOS, Linux, and Android. Chrome still supplies its own interface, account integration, synchronization, navigation logic, and supporting components, but the platform’s browser-engine rules substantially change its internals.
This distinction helps explain why a Chrome for iOS vulnerability appeared in Google’s enormous Chrome 150 desktop security announcement. Google’s June 30 release post promoted Chrome 150 to the stable channel for Windows, macOS, and Linux and listed hundreds of security fixes, including CVE-2026-13808 and several other iOS-specific issues. The post is a security ledger covering the broader Chrome codebase, not proof that every listed flaw affects every desktop installation.
For WindowsForum readers, the immediate product impact is therefore unusually clear: CVE-2026-13808 does not make Chrome on Windows vulnerable merely because the desktop release notes mention it. The affected product named by the CVE is Chrome for iOS, and NVD’s configuration ties affected Chrome versions to Apple’s iPhone operating system.
That does not make the disclosure irrelevant to Windows administrators. Microsoft-heavy organizations often manage iPhones through Microsoft Intune, enforce application requirements through Conditional Access, and depend on mobile browsers for Microsoft 365, Entra ID, SaaS dashboards, and administrative portals. A Chrome for iOS memory disclosure may sit outside Windows while still touching the identity and data plane of a Windows-centered enterprise.
The practical lesson is to patch by platform rather than headline. Desktop Chrome version 150.0.7871.47 and iOS Chrome version 150.0.7871.47 may share numbering and portions of a release train, but their attack surfaces and update channels are different. Administrators should not mark an iOS finding remediated simply because the Windows desktop fleet has reached the same version number.

The Version Trail Is Messier Than the Fix Boundary​

Google announced Chrome Stable 150.0.7871.34 for iOS on June 17, 2026. The CVE record later established 150.0.7871.47 as the fixed boundary, meaning that the earlier Chrome 150 iOS build remained within the affected range.
The vulnerability was reported internally by Google on April 19, according to the Chrome release notes. The CVE was published on June 30, and NVD added its initial analysis on July 1. This chronology suggests coordinated disclosure alongside the release that contained the fix rather than discovery after the patched build had already circulated.
There is no public indication that users must install a special one-off package. The remediation is to run Chrome for iOS version 150.0.7871.47 or later from Apple’s App Store. By July 2026, any later stable version should also contain the correction unless Google explicitly says otherwise.
The important administrative number is not “Chrome 150.” It is the complete build boundary. Version 150.0.7871.34 is Chrome 150 but remains below the fixed build. Inventory tools and compliance policies that compare only the major version could therefore produce a false sense of remediation.
Mobile application inventory is often less reliable than desktop browser inventory. Devices may delay App Store updates because of power state, network conditions, user settings, storage pressure, regional rollout timing, or management policy. An update being available does not prove that every enrolled device has installed it.
Organizations should verify the installed application version rather than assuming automatic updates completed. Where mobile-device management supports minimum app versions, access to sensitive resources can be conditioned on a fixed or newer Chrome build. Where it does not, compliance reporting and user notification remain preferable to relying on an unverified App Store rollout.
Consumers can perform a simpler check: open Chrome’s settings or the App Store listing and confirm that the installed build is at least 150.0.7871.47. If an update is offered, install it. Rebooting the device after updating is a reasonable way to ensure old browser processes and their memory contents are no longer active, although Google’s public advisory does not describe a reboot as mandatory.

NVD’s CPE Entry Looks Odd Because Platform Modeling Is Odd​

The NVD configuration joins a Google Chrome application CPE for versions below 150.0.7871.47 with an Apple iPhone OS CPE. The operating-system entry uses a dash for the version rather than describing a conventional vulnerable iOS version range.
At first glance, that can look incomplete. It invites the question displayed on NVD pages: is a CPE missing? In this case, the oddity more likely reflects the limits of product-configuration modeling than evidence of an undocumented operating-system vulnerability.
The affected component is Google Chrome for iOS, not iOS itself. Apple’s operating system appears in the configuration to express that the vulnerable Chrome build must be running on the iOS platform. The logical relationship matters: it is an application condition combined with an operating-system condition, not a claim that all Apple iPhone OS releases contain the defective Chrome code.
The absence of a detailed iOS range may mean that Google did not constrain the CVE to particular supported iOS versions in the published record. It may also reflect the difficulty of mapping modern Apple naming and version support into CPE records. NVD entries are useful for machine matching, but they are not always elegant product maps.
There is a separate data-quality wrinkle in the CVE’s affected-version record. The supplied structured entry identifies 150.0.7871.47 while also marking versions less than 150.0.7871.47 as affected. Human readers can infer the intended boundary from the prose: builds before 150.0.7871.47 are vulnerable, and 150.0.7871.47 fixes the problem. Automated consumers should nevertheless test how their scanner interprets that structure.
This is not academic housekeeping. A vulnerability platform that fails to distinguish desktop Chrome from Chrome on iOS could generate false positives across Windows and macOS fleets. One that demands a specific iOS-version range before matching could miss vulnerable mobile installations. Asset rules should therefore preserve both the product identity and platform condition.
For administrators writing their own detection logic, the defensible test is simple: identify Google Chrome installed on iOS or iPadOS and flag complete versions lower than 150.0.7871.47. Do not apply that rule blindly to desktop Chrome, and do not infer that updating iOS alone remediates the vulnerable Chrome application.

Restricted Bug Details Protect the Rollout but Limit Defenders​

The linked Chromium issue requires permission, leaving the technical mechanism unavailable to the general public. Google routinely restricts security bug details until a majority of users have received a fix, and may keep them closed longer when third-party code remains exposed.
That policy has an obvious defensive rationale. Publishing a detailed proof of concept while an update is still rolling out can shorten the distance between disclosure and weaponization. Restriction is particularly understandable for a flaw Google internally rated High and for a release carrying hundreds of other fixes.
The cost is analytical uncertainty. Defenders cannot determine whether CVE-2026-13808 exposes stale heap data, crosses an application-level privacy boundary, mishandles an imported structure, leaks through an iOS integration, or depends on a diagnostic interface. They also cannot independently test which data classes are reachable.
This lack of detail should make commentary more conservative, not more dramatic. Claims that the flaw dumps all browser memory, defeats the iPhone passcode, extracts saved passwords, or provides full device compromise are not supported by the published description. The CVE says an attacker may obtain potentially sensitive information from process memory; it does not define a complete device-forensics capability.
The same restraint applies in the other direction. Because the weakness is described as improper validation rather than memory corruption, readers may assume it is harmless. Yet validation failures can reveal data precisely because a component accepts an index, object, state transition, or request that should have been rejected. Confidentiality-only bugs can be valuable when the memory exposed contains session state or information useful to a second exploit.
Google may eventually open the issue after adoption of the fixed version rises. Even then, the public ticket might contain redactions or focus on the code correction rather than a reproducible attack. For now, version-based remediation is more dependable than mechanism-based detection.

A Browser Patch Cannot Repair a Weak Custody Model​

CVE-2026-13808 is fundamentally a reminder that mobile security depends on both software state and device custody. Updating Chrome removes this specific path, but it does not make an unlocked phone safe in adversarial hands.
A strong passcode remains more important than a convenient short PIN, particularly for people with elevated exposure. Biometric authentication is useful, but organizations should understand the conditions under which Face ID or Touch ID can be disabled and a passcode required. Rapid reporting of lost devices is essential because response options become less valuable as time passes.
Managed-device controls also matter. Remote lock and wipe, short inactivity timeouts, encryption-backed passcode requirements, restrictions on developer features, and the ability to revoke enterprise sessions can reduce the consequence of physical loss. None is a substitute for patching, but together they limit the value of any data an attacker might recover.
Identity teams should consider what Chrome sessions on a managed iPhone can reach. If the device has access to privileged Microsoft 365 administration, source-code repositories, infrastructure consoles, customer records, or password-management systems, a confidentiality flaw deserves more attention than the numerical CVSS score alone conveys.
An actual custody incident requires a broader response than updating Chrome after the phone returns. Administrators may need to revoke active sessions, rotate exposed credentials, inspect sign-in logs, invalidate device registrations, and decide whether the handset can be trusted without re-enrollment or reset. CVE-2026-13808 does not prove that any of those assets were compromised, but an unlocked device outside authorized control creates risks well beyond one browser bug.
For ordinary users, the response should remain proportionate. Install the update, keep automatic App Store updates enabled, use a strong device passcode, and do not hand an unlocked phone to untrusted people. There is no published basis for panic, mass password resets, or abandoning Chrome on iOS solely because this CVE exists.

The Absence of Remote Exploitation Changes the Patch Order​

Security teams constantly triage vulnerabilities labeled High, and treating them all identically is not discipline—it is surrender to a queue. CVE-2026-13808 should be prioritized according to exposure rather than vendor severity alone.
Remote code-execution bugs, known exploited vulnerabilities, authentication bypasses, and internet-facing service flaws will generally outrank it. Those weaknesses can be attacked without obtaining the target hardware and often scale across an organization. CVE-2026-13808’s physical vector and confidentiality-only impact constrain both likelihood and campaign reach.
Within a mobile fleet, however, patch priority should rise for high-value users and devices likely to leave controlled environments. Executives, incident responders, domain administrators, developers with production access, legal personnel, journalists, and frequent international travelers all carry a higher consequence if browser data is exposed.
Shared or kiosk-like iOS devices deserve separate review. Physical access is inherent in their purpose, and assumptions about who can interact with the device are weaker. If Chrome stores or displays sensitive data on such hardware, administrators should verify both the fixed version and the effectiveness of session-clearing procedures.
The patch is also relatively inexpensive. Updating an App Store browser is generally less disruptive than deploying operating-system firmware or changing enterprise infrastructure. Even when probability is low, a low-cost correction for a potentially high-confidentiality impact is an easy maintenance decision.
The right message is therefore neither “drop everything” nor “physical access means it does not matter.” It is: update promptly, verify on sensitive devices, and do not displace more urgent remediation unless your threat model makes device seizure or unauthorized handling unusually likely.

Chrome 150.0.7871.47 Draws a Clear Operational Line​

The limited disclosure still supports several concrete actions, and they do not require speculation about what remains hidden in Chromium’s restricted tracker.
  • Chrome for iOS versions earlier than 150.0.7871.47 should be treated as vulnerable and updated through Apple’s App Store.
  • The flaw requires physical access and is not described as remotely exploitable through an ordinary malicious website.
  • Published impact is limited to information disclosure from Chrome process memory, with no confirmed code execution, data modification, or denial of service.
  • CISA reported no known exploitation and rated the issue 4.6 Medium under CVSS 3.1, despite Chromium assigning High severity.
  • Windows and desktop Chrome installations should not be flagged solely because Google listed the iOS vulnerability in its desktop stable-channel announcement.
  • Organizations should verify complete mobile build numbers and review session exposure when a vulnerable device has been outside authorized custody.
CVE-2026-13808 will probably disappear into the enormous Chrome 150 patch inventory once current iPhones have updated, but its disclosure should leave a more durable lesson. Browser vulnerability management is no longer a matter of matching a product name and a severity badge: platform, build number, attack position, physical custody, and identity exposure determine the real risk. As browsers become the front ends for corporate systems on every operating system, the organizations that preserve those distinctions will patch faster where it matters—and panic less where it does not.

References​

  1. Primary source: NVD / Chromium
    Published: 2026-07-11T15:40:02-07:00
  2. Security advisory: MSRC
    Published: 2026-07-11T15:40:02-07:00
    Original feed URL
  3. Related coverage: chromereleases.googleblog.com
  4. Related coverage: chromium.org
  5. Related coverage: vulnerability.circl.lu
  6. Related coverage: chromium.googlesource.com
  1. Related coverage: issues.chromium.org
 

Back
Top