Chrome 150 Fixes CVE-2026-13935 Compute Pressure Side-Channel on Windows & Mac

Google fixed CVE-2026-13935 in Chrome 150.0.7871.47 for Windows and Mac after disclosing that a Compute Pressure side-channel flaw could let a remote attacker leak cross-origin data through a crafted HTML page. The bug is only rated Medium, but the interesting part is not the score. It is the reminder that modern browser security increasingly lives in the gray zone between useful hardware awareness and privacy exposure. As documented by NVD, CISA’s enrichment data, and Google’s Chrome Releases post, this is a patch-now issue rather than a panic-now issue.

Diagram showing cross-origin information leakage between two websites with compute pressure mitigation.Chrome’s Medium Bug Points at a Larger Browser Problem​

CVE-2026-13935 is not the kind of Chrome vulnerability that normally grabs headlines. It is not a sandbox escape, not a remote-code-execution chain, and not a zero-day that Google says is being exploited in the wild. The description is almost clinical: “side-channel information leakage in ComputePressure” before Chrome 150.0.7871.47 allowed cross-origin data leakage via a crafted HTML page.
That dry wording hides a more interesting architectural story. Compute Pressure is part of a class of web APIs designed to make web apps behave more like native applications. A browser-based video conference, game, editor, or AI-heavy web workload can make better decisions if it knows whether the machine is under CPU pressure.
But giving websites even coarse signals about the state of a user’s device creates a new observation point. The browser is not handing a hostile page your files or cookies; it is exposing a signal that can be correlated with activity elsewhere. That is the essence of the side-channel problem: information leaks not through the front door, but through shadows cast by legitimate behavior.

The Patch Is Simple; the Boundary It Defends Is Not​

Google’s June 30 Chrome stable-channel update moved Windows and Mac users to Chrome 150.0.7871.46/.47, with Linux on 150.0.7871.46. Google’s release notes list CVE-2026-13935 as a Medium-severity ComputePressure issue reported by Google on May 14, 2026. NVD published the CVE on June 30 and last modified the record on July 1.
The operational guidance is straightforward: Chrome installations below 150.0.7871.47 on Windows and Mac should be updated. Administrators should also watch Chromium-based browsers that may lag behind upstream Chromium patches, because the underlying component is not conceptually unique to Google-branded Chrome.
Where this becomes less tidy is in vulnerability management. The NVD record initially lacked NIST CVSS scoring, while CISA-ADP assigned a CVSS 3.1 score of 6.5, with high confidentiality impact, no integrity impact, no availability impact, and user interaction required. That combination matches the practical shape of the bug: the attacker needs the victim to visit or interact with a malicious page, but the leaked information could matter.
This is why relying only on the word “Medium” is a poor security habit. Medium does not mean harmless. It means the vulnerability lacks the obvious immediacy of a full compromise, while still being credible enough to justify rapid patching in managed environments.

Compute Pressure Was Built to Make Web Apps Smarter​

The Compute Pressure API exists because the web has moved far beyond static documents. Browser apps now perform real-time video processing, background encoding, collaboration, rendering, and increasingly local AI-adjacent workloads. A web app that can sense system pressure can degrade gracefully instead of driving a laptop into fan noise, throttling, battery drain, and stutter.
Google’s developer documentation describes the API as a way to expose high-level pressure states rather than raw hardware metrics. The first Chromium implementation focused on CPU pressure. Instead of telling a site the exact clock speed, temperature, or utilization curve, the browser gives broader state information that an app can use to reduce quality, lower frame rates, skip nonessential processing, or adjust workload.
That design is deliberately conservative. The browser vendors and standards community know that raw hardware telemetry would be a fingerprinting and side-channel gift. The API’s promise is that coarse, rate-limited, policy-controlled data can deliver enough utility without becoming a surveillance surface.
CVE-2026-13935 shows how difficult that bargain is. Even a coarse signal can become sensitive if it changes in response to activity the attacker is not supposed to observe. The leak is not necessarily in the data’s precision alone; it is in the correlation between the data and a private event.

Cross-Origin Isolation Is the Browser’s Central Promise​

The phrase “cross-origin data” is doing a lot of work here. The same-origin policy is one of the web’s foundational security boundaries. A page from one site should not be able to read the contents, state, or private responses of another site simply because both are open in the same browser.
Modern browsers have added layers around that promise: CORS, CORB, site isolation, process separation, permission policies, and post-Spectre hardening. Yet side-channels have always been awkward because they do not ask the browser to hand over protected content directly. They infer.
A malicious page might not read another site’s response body. But if it can observe system pressure changes caused by loading a resource in another origin, it may learn something about whether the user is logged in, whether a private resource exists, or whether a particular action occurred. The W3C Compute Pressure specification explicitly discusses risks such as timing attacks, cross-site covert channels, and targeted de-anonymization.
That matters for Windows users because Chrome is often the most privileged application in daily life, even when it is not privileged in the operating-system sense. It holds sessions to work apps, identity providers, email, banking, admin consoles, and internal dashboards. The browser is where cross-origin boundaries become practical security boundaries.

The Most Interesting Part Is What Google Is Not Saying​

As usual, Google has restricted access to some Chromium bug details until enough users are updated. That policy is sensible. Publishing a working side-channel recipe before the patch has reached most clients would be irresponsible.
The result, however, is that defenders must reason from the advisory, the CVE text, and the design of the API rather than from a full technical autopsy. We know the affected component. We know the patch floor. We know the weakness category: CWE-1300, improper protection of physical side channels. We know CISA’s SSVC enrichment listed no known exploitation, not automatable, and partial technical impact.
That is enough to set response priority. It is not enough to declare the bug trivial.
Security teams should resist two bad instincts. The first is alarmism: this is not currently described as a zero-day, and there is no public indication of active exploitation. The second is dismissal: cross-origin leakage is precisely the class of browser weakness that can become more valuable when chained with other primitives or targeted against high-value users.

Chrome 150 Was Already a Heavy Security Release​

CVE-2026-13935 landed inside a much larger Chrome 150 security update. Google’s release post says the desktop update includes hundreds of security fixes, and outside reporting from Malwarebytes also flagged the update as unusually large. The exact count reported by different sources may vary depending on how fixes are categorized, but the central point is the same: this was not a tiny point release.
That context cuts both ways. On one hand, a Medium ComputePressure bug can be easy to miss in a release packed with memory-safety issues, policy bypasses, validation failures, and component-specific vulnerabilities. On the other hand, large updates are exactly why organizations should not cherry-pick browser patches based only on a single CVE headline.
Chrome is now infrastructure. It updates with the cadence and volume of an operating system component because, for many workflows, it effectively is one. A vulnerability in a browser API can affect SaaS access, identity flows, endpoint exposure, and user privacy across the enterprise estate.
For Windows administrators, the question is not whether this one CVE deserves an emergency bridge call. It probably does not. The question is whether Chrome and Chromium-derived browsers are being inventoried, updated, and verified with the same discipline applied to VPN clients, EDR agents, and Office builds.

Side-Channels Keep Turning Optimization Into Exposure​

The web platform’s security story after Spectre has been a long exercise in reducing observability. High-resolution timers were blunted. Shared memory was gated. Site isolation became a central mitigation. Cross-origin read blocking and related defenses aimed to make speculative and indirect leaks harder to exploit.
Compute Pressure sits in that same universe. It is not a speculative-execution feature, but it exposes information about shared physical resources. If two activities affect the same CPU pressure state, one may be able to infer something about the other.
The hard part is that shared resources are everywhere. CPU load, GPU behavior, cache timing, memory pressure, battery state, thermal throttling, font rendering, media decoders, and network timing can all become signals. The browser’s job is to expose enough of the machine to make applications useful while sanding down the signal until it is hard to abuse.
That is a messy engineering problem, not a one-time fix. Every new capability creates a new negotiation between developers who want richer context and privacy engineers who want less ambient information available to arbitrary scripts. CVE-2026-13935 is one negotiation that went wrong enough to receive a CVE.

Why User Interaction Still Leaves Room for Real Risk​

CISA’s CVSS vector includes user interaction, which will lead some scanners and dashboards to lower the urgency automatically. That is reasonable in a narrow sense. A remote attacker cannot simply send packets at a vulnerable Chrome instance and win.
But “user interaction” in browser security often means “the user visits a web page.” That is not a meaningful barrier in a world of phishing, malvertising, compromised sites, OAuth consent lures, and targeted links in collaboration tools. If the exploit vehicle is HTML, the delivery problem is not exotic.
The more important limiting factor is that CISA marked the issue as not automatable and with partial technical impact. That suggests this is not a mass wormable condition and not a direct path to code execution. It is more plausibly a privacy or information-disclosure primitive.
Those primitives still matter. Attackers targeting journalists, executives, developers, administrators, activists, or employees of a specific company often care about small pieces of confirmation. Is this user logged into a particular service? Did a private document load? Is a resource accessible only to members of a group? Side-channels thrive on yes-or-no answers.

The Enterprise Lesson Is About Browser Telemetry, Not Just Browser Updates​

For enterprises, the immediate control is patch deployment. Chrome should be at or beyond the fixed build, and update deferrals should be reviewed. If the organization uses Microsoft Edge, Brave, Vivaldi, Opera, Electron-based applications, embedded WebViews, or other Chromium descendants, security teams should track when those vendors absorb the relevant upstream patches.
The deeper lesson is that browser APIs increasingly deserve policy review. Compute Pressure is policy-controlled, and the W3C spec discusses mechanisms to restrict or delegate access. That gives administrators and browser-policy owners a way to think beyond patching: which classes of sites need access to performance-sensitive APIs, and which do not?
Most organizations will not disable every modern web capability. That would break the very SaaS apps users rely on. But high-security environments should be more willing to segment browser profiles, restrict risky permissions, and treat unknown web apps differently from trusted internal services.
There is also a monitoring angle. Browser version compliance should be visible in endpoint management, not inferred from hope. If Chrome updates are allowed to apply silently but restarts are postponed indefinitely, the organization may carry patched-but-not-restarted exposure longer than it realizes.

For Regular Windows Users, the Fix Is Boring by Design​

For individual Windows users, the practical advice is refreshingly mundane. Open Chrome’s About page, let it check for updates, and relaunch. If the browser reports version 150.0.7871.47 or later, the specific Chrome vulnerability described here is addressed for that installation.
The boringness is the point. Browser auto-update is one of the most successful consumer security mechanisms ever deployed. Users do not need to understand side-channel leakage, pressure observers, or cross-origin inference to benefit from a patched build.
Still, users who habitually leave Chrome open for weeks should remember that downloaded updates often require a restart to take effect. The green, yellow, or red update indicator near the Chrome menu is not decoration. It is the browser quietly saying that the security boundary you think you have may still be the old one.
Windows users who run multiple browsers should check them all. A patched Chrome does not automatically mean a patched Chromium-based secondary browser. Nor does it update embedded browsers inside every desktop application.

The Patch Note That Should Change Your Browser Routine​

CVE-2026-13935 is small enough to disappear into a giant Chrome release, but concrete enough to justify action. The strongest security response is not drama; it is disciplined hygiene.
  • Chrome for Windows and Mac should be updated to 150.0.7871.47 or later to address CVE-2026-13935.
  • The vulnerability affects Compute Pressure, a browser API designed to let web apps react to CPU and system pressure without exposing raw hardware metrics.
  • The risk is information disclosure through a side-channel, not direct code execution or a confirmed in-the-wild zero-day.
  • Cross-origin leakage remains serious because the browser’s same-origin boundary protects logged-in sessions, private resources, and identity-linked web activity.
  • Managed environments should verify browser restart and version compliance rather than assuming silent auto-update has completed the job.
  • Chromium-based browsers and embedded Chromium runtimes should be tracked separately, because they may not ship upstream fixes on the same schedule as Google Chrome.
The larger story is that the browser keeps becoming a more capable operating environment, and every new capability has a privacy cost that must be engineered down rather than wished away. CVE-2026-13935 is not a catastrophe, but it is a useful warning: the next frontier of browser risk is not only memory corruption and sandbox escapes, but the quiet leakage that appears when websites are allowed to sense the machine beneath them.

References​

  1. Primary source: NVD / Chromium
    Published: 2026-07-03T07:00:45-07:00
  2. Security advisory: MSRC
    Published: 2026-07-03T07:00:45-07:00
    Original feed URL
  3. Related coverage: radar.offseq.com
  4. Official source: nist.gov
  5. Related coverage: chromereleases.googleblog.com
  6. Related coverage: labs.cloudsecurityalliance.org
  1. Related coverage: chromium.org
  2. Official source: csrc.nist.gov
 

Back
Top