CVE-2026-13946: Update Chrome on iOS to 150.0.7871.47

CVE-2026-13946 affects Google Chrome on iOS versions earlier than 150.0.7871.47. The published description says crafted HTML can cause cross-origin information leakage. Users should update Chrome through the App Store to 150.0.7871.47 or later and check Chrome’s app/version information if available. The supplied record does not identify Chrome on Windows, macOS, Linux, or Android as affected.

A hand holds an iPhone displaying a Chrome update, beside a graphic illustrating secure cross-origin data flow.Actionable scope​

ItemPublished informationRequired response
Affected productGoogle Chrome on iOSCheck iPhones that have Chrome installed
Affected rangeVersions earlier than 150.0.7871.47Update to 150.0.7871.47 or later
Documented impactCross-origin information leakage through crafted HTMLTreat as a confidentiality-boundary flaw
User interactionRequired by the supplied CVSS vectorContinue normal link-safety guidance
Exploitation statusThe supplied CISA-ADP SSVC assessment reports exploitation: nonePatch promptly without presenting this as a confirmed active campaign
Other platformsNot identified as affected in the supplied recordDo not extend this CVE to Windows, macOS, Linux, or Android without additional evidence
Reference-path discrepancy: The NVD entry links to a Chrome release-notes location containing “desktop” in its path, but the CVE description and affected-product configuration identify Chrome on iOS. A word in a reference URL does not override the explicit product scope. Unless an authoritative record adds other platforms, this CVE should remain scoped to Chrome on iOS.

Action checklist for admins​

  • Identify iPhones authorized to access corporate services and determine which have Chrome installed.
  • Flag installations earlier than 150.0.7871.47.
  • Direct users to open the App Store, search for Chrome, and select Update if it is offered.
  • After the update, check Chrome’s app/version information if available and confirm that the installed version is 150.0.7871.47 or later.
  • Route the task to the team or service owner responsible for iPhone application inventory or mobile-device management.
  • Prioritize iPhones used to access sensitive corporate web applications when local risk warrants it.
  • Do not report this as a desktop Chrome vulnerability based only on the linked release-notes path.
  • Use the precise wording: the supplied CISA-ADP SSVC assessment reports exploitation: none.
  • Review the vendor and NVD records for later changes to product scope, affected versions, scoring, or exploitation information.
Application inventory, mobile-device management, compliance rules, user attestations, and completion records are organization-specific ways to carry out this response. They are not requirements imposed by the CVE itself.

A Medium-Rated Browser Boundary Failure​

The public description characterizes CVE-2026-13946 as an inappropriate implementation in Chrome on iOS’s ScriptInjections component. It says a remote attacker can use crafted HTML to cause cross-origin information leakage.
That establishes a confidentiality problem involving the browser’s separation of content belonging to different web origins. It does not reveal the precise information that could be exposed, the complete sequence needed to trigger the behavior, or the underlying implementation error.
The linked Chromium issue is permission-restricted, so the supplied public material does not support a detailed reconstruction of the vulnerable code or exploit process. Administrators should resist filling those gaps with hypothetical examples presented as facts.
The supplied CVSS assessment requires user interaction. Crafted HTML is therefore the delivery mechanism described by the record, but the record does not establish that merely receiving a message, viewing plain text, or having Chrome installed is enough to trigger the flaw. Nor does it specify the exact click, navigation, or page interaction that an attacker would need.
The documented consequence is cross-origin information leakage. The supplied material does not establish arbitrary code execution, device takeover, integrity loss, or service interruption. Those limits need not minimize the issue: a browser confidentiality boundary is important, particularly when an iPhone is used to reach sensitive corporate applications.

The Scope Is Chrome on iOS, Not Chrome Everywhere​

The affected-product data is the central fact for deployment teams. It identifies Google Chrome on iOS and places versions earlier than 150.0.7871.47 in the published affected range. NIST’s configuration information associates that application range with Apple’s iPhone operating system.
Nothing in the supplied record identifies Chrome on Windows, macOS, Linux, or Android as affected by CVE-2026-13946. A general reference to “Chrome” should not be converted into a universal browser alert when the product configuration is platform-specific.
Version language also matters. The supportable formulation is:
  • Versions earlier than 150.0.7871.47 are in the published affected range.
  • Version 150.0.7871.47 or later is the appropriate update target.
That does not require claiming that 150.0.7871.47 contains a particular corrective code change. The restricted Chromium issue prevents public confirmation of the implementation details, and the published range is sufficient for operational decisions.
For WindowsForum readers, the Windows connection is administrative rather than technical. A Windows or identity team may manage the accounts, applications, conditional-access policies, or web services reached from an iPhone even though the affected browser does not run on Windows. That team should route the notice to whoever owns iPhone application inventory, endpoint mobility, or mobile-device management.
Updating desktop Chrome does not update Chrome on an iPhone. Conversely, searching desktop fleets for this CVE would misapply the published scope.

What the Record Does—and Does Not—Say​

The available scoring and classification information should be read together rather than as separate conclusions.
Record or assessmentPublished stateResponsible interpretation
CISA-ADP CVSS v3.14.3 MediumNetwork-reachable, low-complexity issue requiring user interaction, with low confidentiality impact and no recorded integrity or availability impact
Supplied CISA-ADP SSVC assessmentExploitation: noneThe supplied CISA-ADP SSVC assessment reports exploitation: none; this is not a live or comprehensive threat-intelligence guarantee
NVD-authored CVSS v4.0Not available in the supplied recordDo not attribute a v4.0 score to NVD
NVD-authored CVSS v3.xNot available in the supplied recordThe displayed 4.3 assessment comes from CISA-ADP, not an NVD-authored assessment
NVD-authored CVSS v2.0Not available in the supplied recordNo legacy NVD score is provided
CISA-ADP CWE mappingCWE-352, Cross-Site Request ForgeryA weakness classification, not a complete description of the exploit mechanism
The CVSS vector describes a remote path with low attack complexity, no required attacker privileges, and required user interaction. It records low confidentiality impact, with no integrity or availability impact. That combination supports prompt updating while keeping the claimed outcome within the published evidence.
The CWE-352 mapping does not establish that an attacker can change passwords, alter account settings, perform transactions, or take other actions associated with some cross-site attacks. The CVE description specifically emphasizes cross-origin information leakage, and the public record does not disclose enough technical detail to expand that impact.
Likewise, the record does not identify the information that might leak. Describing the data as a specific cookie, token, authenticated response, document, account record, or message would be speculative unless later technical material confirms it.
The exploitation language requires equal precision. The correct statement is that the supplied CISA-ADP SSVC assessment reports exploitation: none. That field should not be reframed as proof that exploitation has never occurred, is impossible, or is absent from every environment. It reports the state of the supplied assessment.
The absence of an NVD-authored score is not a reason to delay the update. The product and affected-version boundary already provide a usable deployment rule.

The Advisory Trail Requires Careful Reading​

The NVD entry’s linked release-notes path contains a desktop reference, while the affected-product description and configuration point to Chrome on iOS. The grounded conclusion is that the path creates a documentation discrepancy—not that desktop Chrome is affected.
There is no need to speculate about whether references were bundled, mislabeled, or used as general advisory anchors. Administrators should rely on the explicit affected-product data unless Google, NVD, or another authoritative source later broadens the scope.
The entry also links to a permission-restricted Chromium issue. That limitation explains why the public material does not provide a complete reproduction procedure, patch analysis, or precise description of the information that could cross the origin boundary.

Record timeline​

Initial CVE record: Chrome supplied a record identifying Chrome on iOS versions earlier than 150.0.7871.47 and describing cross-origin information leakage through crafted HTML.
NVD publication and analysis: NVD published the entry and provided configuration information associating the affected Chrome range with Apple’s iPhone operating system.
CISA-ADP enrichment reflected in the supplied record: CISA-ADP contributed the CVSS v3.1 score of 4.3, the CWE-352 mapping, and the SSVC assessment.
Current operational position from the supplied material: Update Chrome on iOS to 150.0.7871.47 or later; do not infer desktop or Android impact; state that the supplied CISA-ADP SSVC assessment reports exploitation: none.
Specific supply, publication, or enrichment dates should not be asserted unless they are confirmed by the relevant authoritative record.

Windows and Identity Teams Need a Mobile Routing Loop​

A Windows-centered organization can respond without pretending that this is a Windows vulnerability. The practical questions are:
  1. Which iPhones are authorized to access corporate identities, applications, or web services?
  2. Which of those devices have Chrome installed?
  3. Which installations are earlier than 150.0.7871.47?
  4. Who owns application updates and compliance reporting for those iPhones?
If the Windows or identity team does not own mobile endpoints, it should route the notice to the owner of iPhone application inventory or mobile-device management. Depending on the organization, that may be an endpoint engineering group, mobility team, security operations function, outsourced device-management provider, or application owner.
Formal mobile application inventory can make version identification easier. Where that capability is unavailable, an organization may use user confirmation, help-desk outreach, managed application reporting, or another process consistent with its policies. These are local implementation choices, not controls mandated by the CVE.
The supported user action is straightforward:
  1. Open the App Store.
  2. Search for Chrome.
  3. Select Update if the option appears.
  4. Afterward, check Chrome’s app/version information if available.
  5. Confirm that the installed version is 150.0.7871.47 or later.
The exact Chrome-on-iOS menu labels used to display version information can vary and are not established by the supplied NVD material. Administrators should therefore avoid publishing an unverified tap-by-tap path as though it were guaranteed across current builds.
If no Update button appears, that alone should not be treated as definitive version confirmation. Use available application inventory or Chrome’s app/version information where accessible, and document completion through the organization’s normal process.
Organizations may reasonably prioritize iPhones used for privileged administration or sensitive corporate web access. That is local risk-based scheduling, not a claim that the CVE specifically targets administrators, executives, developers, or any other employee group.

Update Verification Is the Immediate Task​

The supplied information does not provide a public exploit signature, detailed network request sequence, list of targeted websites, or complete forensic procedure. Those gaps limit detection guidance, but they do not prevent remediation.
The immediate workflow is:
  • Identify authorized iPhones with Chrome installed.
  • Determine whether each installation is earlier than 150.0.7871.47.
  • Update Chrome through the App Store.
  • Check Chrome’s app/version information if available.
  • Confirm version 150.0.7871.47 or later.
  • Record completion under the organization’s normal endpoint or application-management process.
Additional steps such as conditional-access restrictions, device-compliance enforcement, user attestations, temporary application blocks, session revocation, or credential resets are organization-specific measures. The supplied CVE record does not mandate them.
Similarly, finding a version inside the published affected range does not by itself prove that information was exposed. Any incident-response action beyond updating should be based on separate evidence, local policy, or a broader risk assessment.
Administrators should continue monitoring authoritative records for changes. A later update could add technical details, revise scoring, change the exploitation assessment, clarify the release-notes reference, or expand the affected-product list. Until such a change appears, reporting should stay tied to the current evidence.

The Correct Response Is Narrow, Fast, and Operational​

CVE-2026-13946 is currently scoped to Chrome on iOS versions earlier than 150.0.7871.47. The published impact is cross-origin information leakage through crafted HTML, and the supplied CVSS assessment requires user interaction. The supplied CISA-ADP SSVC assessment reports exploitation: none.
The proportionate response is to update Chrome on affected iPhones to 150.0.7871.47 or later and verify the installed version through available application or version information. Windows and identity teams should route the task to the owner of iPhone inventory or mobile-device management rather than applying the CVE to desktop Chrome.
That platform precision avoids two opposite failures: wasting effort on operating systems not identified in the record and overlooking iPhones that reach Windows-centered identities and services.
The record may gain more technical, scoring, or exploitation information later. For now, teams should follow the published affected-version boundary, complete their organization-specific iPhone inventory and update workflow, and keep every broader claim tied to new authoritative evidence rather than inference.

References​

  1. Primary source: NVD / Chromium
    Published: 2026-07-11T15:40:31-07:00
  2. Security advisory: MSRC
    Published: 2026-07-11T15:40:31-07:00
    Original feed URL
  3. Related coverage: security.snyk.io
  4. Related coverage: cvefeed.io
 

Back
Top