CVE-2026-13785: Update Chrome for Mac to 150.0.7871.47

Affected: Chrome on macOS before 150.0.7871.47. Action: update Chrome for Mac to 150.0.7871.47 or later. Current record: crafted HTML page plus specific UI gestures; potential sandbox escape; CVSS 9.6 Critical. This scope is important: CVE-2026-13785 is currently published as affecting Chrome on macOS before version 150.0.7871.47. The available record does not place Chrome on Windows within the affected range, so neither the headline nor the response should imply a Windows Chrome exposure.

Laptop shows a Chrome security warning beside an endpoint dashboard flagging an outdated device and browser sandbox escape.Update Chrome for Mac Now​

Google addressed CVE-2026-13785 in Chrome for Mac version 150.0.7871.47. According to the Chrome-sourced description carried by the National Vulnerability Database, the vulnerability is a use-after-free flaw in Chrome’s Bluetooth component. A remote attacker could convince a user to perform specific interface gestures on a crafted HTML page and potentially escape the browser sandbox.
The direct remediation is to update affected Chrome for Mac installations to 150.0.7871.47 or later. The supplied CVE material establishes that fixed-version boundary but does not document Chrome’s update interface, update-check behavior, restart behavior, or other product-specific update procedures. Users and administrators should therefore follow their organization’s approved process or current Google Chrome documentation to deploy the corrected version.
The differentiating operational issue for Windows-centric organizations is not Windows Chrome exposure. It is whether the teams responsible for vulnerability management can locate and update all managed Macs. A company may operate primarily on Windows while still maintaining MacBooks for executives, developers, designers, contractors, or specialist teams. Those systems must not disappear from the response merely because they represent a small part of the endpoint fleet.
A short Mac-focused response is sufficient:
  1. Enumerate managed and authorized macOS endpoints.
  2. Determine which Macs have Google Chrome installed.
  3. Identify Chrome versions earlier than 150.0.7871.47.
  4. Update those installations to 150.0.7871.47 or later.
  5. Confirm through an approved inventory or verification method that the corrected version is installed.
  6. Investigate Macs whose Chrome version remains unknown.

Affected Scope and Version Boundary​

The current NVD record lists Google Chrome on Apple macOS before version 150.0.7871.47 as affected. Based on that published scope, Chrome on Mac at version 150.0.7871.47 or later is outside the listed affected range.
Deployment stateChrome on Mac versionCVE statusRequired response
Below the fixed thresholdEarlier than 150.0.7871.47Within the affected rangeUpdate to 150.0.7871.47 or later
Fixed threshold reached150.0.7871.47 or laterOutside the listed affected rangeRecord the corrected version
Version unknownNot verifiedExposure unresolvedObtain current inventory or direct version confirmation
Chrome not installedNot applicableNo affected Chrome installation identifiedDocument the inventory result
This table should be applied to Chrome on macOS, not extended automatically to other operating systems. Windows and Linux Chrome installations should continue to receive normal security maintenance, but the supplied record does not support labeling them vulnerable to CVE-2026-13785.
The word “Bluetooth” should not be used to broaden the product scope. The published description identifies a flaw in Chrome’s Bluetooth component and the affected configuration lists Chrome on macOS. The published description only establishes a crafted HTML page plus specific user-interface gestures. It does not provide enough detail to redefine this as a general Bluetooth-platform vulnerability or to attribute it to every Bluetooth-capable application.
The supported remediation is reaching the corrected Chrome version. The CVE material does not establish disabling Bluetooth, disconnecting peripherals, changing radio settings, or unpairing devices as substitutes for updating Chrome. Organizations may impose temporary controls under their own risk-management policies, but those controls should not be represented as the documented fix for this vulnerability.

Attack Condition: A Crafted Page and Required User Interaction​

The CVE record describes a remote attacker convincing a user to perform specific interface gestures on a crafted HTML page. That wording establishes two important conditions: delivery through crafted web content and a requirement for user interaction.
The published description only establishes a crafted HTML page plus specific user-interface gestures. It does not disclose what the page contains, which gestures are required, how the vulnerable state is reached, or what the user would see while interacting with the page.
The accessible material also does not provide:
  • The HTML, script, or browser-state requirements needed to trigger the flaw.
  • The exact user-interface gestures involved.
  • A public proof of concept.
  • A malicious domain, URL, file hash, or network signature.
  • A browser or endpoint artifact specific to successful exploitation.
  • The privileges obtained after a potential sandbox escape.
  • A complete sequence connecting the initial browser interaction to later system activity.
Those limits matter when communicating the vulnerability. Defenders can accurately state that user participation is required under the published description, but they should not invent a likely lure, prompt, permission workflow, or sequence of gestures. They also should not turn the interaction requirement into reassurance that patching can wait.
The CVSS vector records user interaction as required through UI:R. That is an attack characteristic, not a compensating control. People routinely interact with web pages, and the public material does not identify a distinctive action that employees can be trained to avoid specifically for CVE-2026-13785.
Security messaging can continue to reinforce normal caution around unexpected websites and prompts, but such advice is not a replacement for updating. Without details about the necessary gestures, organizations cannot reliably convert the CVE description into a precise user-awareness rule.

Why the Vulnerability Is Urgent​

CVE-2026-13785 is classified as CWE-416, Use After Free, in Chrome’s Bluetooth component. The classification identifies a memory-lifetime flaw, while the Chrome-sourced description identifies potential escape from the browser sandbox as the relevant outcome.
The public record does not provide the vulnerable object, the memory-reuse sequence, or a complete exploit chain. Defenders should therefore avoid presenting hypothetical heap manipulation, code execution, privilege escalation, or post-exploitation activity as confirmed behavior for this CVE.
The available facts are serious without that speculation. A browser sandbox is intended to constrain code handling untrusted web content. A potential sandbox escape concerns the crossing of that containment boundary, which raises the consequence beyond an ordinary browser error or isolated tab failure.
The qualification “potentially” remains important. The description does not establish that every trigger succeeds, that each successful trigger produces the same result, or that an attacker automatically receives complete control of the Mac. It also does not specify whether additional conditions or exploit stages are necessary.
The appropriate conclusion is direct: the 9.6 Critical CVSS score, required user interaction represented by UI:R, and potential sandbox escape make prompt deployment of the fixed Chrome version the prudent response.

Reading the Severity Information Carefully​

NIST’s National Vulnerability Database and CISA-ADP display a CVSS 3.1 score of 9.6, rated Critical, with the following vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
At a high level, the vector describes a network-delivered scenario assessed as low complexity, requiring no prior attacker privileges but requiring user interaction. It also reflects a scope change and high potential effects on confidentiality, integrity, and availability.
CVSS describes technical severity. It does not, by itself, establish the availability of public exploit code, the existence of an active campaign, the number of vulnerable systems, or the probability that exploitation will succeed in a particular environment. Organizations should combine severity with their own Mac inventory and deployment status rather than treating the numeric score as proof of observed attacks.
The supplied SSVC record lists exploitation as none, automatable as no, and technical impact as total; those values should be reported as the record’s assessment, not expanded into a claim that exploitation has been conclusively ruled out everywhere.
The absence of reported exploitation in that supplied field does not reduce the version-remediation requirement. The fixed boundary is concrete, the potential impact is serious, and the affected browser is exposed to untrusted web content as part of its normal function.

What Windows-Centric Administrators Should Inventory​

Although the affected product is Chrome on macOS, remediation may fall to a security or infrastructure team whose primary tools, policies, and reporting processes are Windows-centered. The response should begin with locating the organization’s Macs, not with scanning Windows Chrome installations for a macOS-only affected range.
The inventory should include, as applicable:
  • Corporate-owned Macs enrolled in endpoint management.
  • Developer or engineering Macs maintained through separate tooling.
  • Executive, design, media, laboratory, and specialist systems.
  • Contractor Macs authorized to access organizational resources.
  • Macs recorded in identity, access, or device-compliance systems.
  • Authorized Macs known to support teams but absent from the main endpoint console.
This is a discovery problem, but it does not need to become a generic endpoint-management exercise. The essential questions are whether the device runs macOS, whether Chrome is installed, and whether the reported Chrome version is earlier than 150.0.7871.47.
Administrators should use the inventory and software-deployment capabilities already approved for their environment. The CVE record does not prescribe a universal console query, command, status field, or evidence format. Product-specific instructions should come from the applicable browser-management or endpoint-management documentation rather than being inferred from the vulnerability description.
Prioritization should focus on confirmed affected versions and unresolved visibility:
  1. Confirmed affected: A Mac reports Chrome earlier than 150.0.7871.47.
  2. Confirmed corrected: A Mac reports Chrome 150.0.7871.47 or later.
  3. Not applicable: The Mac does not have Chrome installed.
  4. Unknown: The organization cannot currently establish whether Chrome is installed or which version is present.
Unknown systems warrant follow-up because their status has not been established, not because an unknown version proves exposure. That distinction keeps reporting accurate while ensuring minority-platform endpoints receive attention.
Teams should also avoid assumptions about which users are most likely to encounter the vulnerability. The supplied record does not establish that developers, executives, administrators, designers, or any other group is specifically targeted. Device ownership may influence operational priority, but it should not be presented as a CVE-specific attack fact.

Detection Limits and Incident Handling​

The supplied public material contains no CVE-specific indicators of compromise or detection logic. It does not provide malicious URLs, file hashes, network signatures, browser artifacts, endpoint events, process relationships, or other observables that independently identify exploitation of CVE-2026-13785.
General browser activity should not be relabeled as evidence for this vulnerability. A browser crash, unfamiliar website, unexpected prompt, or Bluetooth-related event may justify investigation in context, but none is established by the supplied record as an indicator of CVE-2026-13785 exploitation.
This limitation makes preventive remediation especially important. Version inventory can determine whether a Chrome for Mac installation is within the listed affected range even when the public record cannot determine whether that installation was previously exposed to a malicious page.
If an organization has independent evidence of suspicious browser activity or targeted web content, it should use its normal incident-response process. Relevant work may include preserving available browser and endpoint evidence, reviewing network and identity telemetry, identifying other affected devices, and determining whether activity continued beyond the browser. Those are general incident-response actions, not detection steps uniquely specified for this CVE.
The CVE record can support three parts of an investigation:
  • Establishing whether the Mac was running an affected Chrome version.
  • Describing the publicly documented crafted-page and user-interaction conditions.
  • Communicating the potential seriousness of a sandbox escape.
It cannot, on its own, attribute a browser event or system compromise to CVE-2026-13785. Attribution requires technical evidence connecting the observed activity to the vulnerability.

Concise Remediation Timeline​

The record can be summarized without inferring unsupported publication events or dates:
  1. The CVE record describes a use-after-free vulnerability in Chrome’s Bluetooth component on Mac, involving a crafted HTML page, specific interface gestures, and a potential browser sandbox escape.
  2. The current NVD record lists Google Chrome on Apple macOS before version 150.0.7871.47 as affected.
  3. NVD and CISA-ADP display a CVSS 3.1 score of 9.6 with a Critical rating.
  4. The operational threshold is Chrome for Mac 150.0.7871.47 or later.
No vendor-announcement date, update-rollout sequence, or product-interface behavior should be inferred solely from the available CVE material. Likewise, the presence of a vendor reference does not independently establish every detail that may have appeared on that page at a particular time.
For remediation tracking, the version boundary is more important than reconstructing an unsupported disclosure chronology. An installation below the threshold requires an update; an installation at or above it is outside the current record’s listed affected range.

Action Checklist for Administrators​

  • [ ] Enumerate managed and authorized macOS endpoints.
  • [ ] Include Macs owned by teams whose primary endpoint environment is Windows.
  • [ ] Determine which Macs have Google Chrome installed.
  • [ ] Identify Chrome for Mac versions earlier than 150.0.7871.47.
  • [ ] Update affected installations to 150.0.7871.47 or later using an approved method.
  • [ ] Confirm the corrected installed version through an approved inventory or verification method.
  • [ ] Follow up on Macs whose Chrome installation or version cannot be established.
  • [ ] Keep Chrome on Windows, Linux, Android, and ChromeOS out of this CVE’s affected inventory unless separate authoritative information expands the scope.
  • [ ] Do not present Bluetooth shutdown, peripheral disconnection, unpairing, or radio changes as substitutes for the Chrome update.
  • [ ] Do not claim knowledge of the exact crafted page or required gestures beyond the published description.
  • [ ] Do not present ordinary browser or Bluetooth events as CVE-specific indicators.
  • [ ] Use normal incident-response procedures if independent evidence suggests malicious browser activity.
  • [ ] Record completion when Chrome for Mac is confirmed at 150.0.7871.47 or later.

Administrator Reporting Template​

A concise internal report can communicate the result without overstating the evidence:
Reporting fieldRecommended entry
VulnerabilityCVE-2026-13785
Affected productGoogle Chrome on Apple macOS
Affected versionsEarlier than 150.0.7871.47
Remediation target150.0.7871.47 or later
Published attack conditionCrafted HTML page plus specific user-interface gestures
Published potential outcomeBrowser sandbox escape
SeverityCVSS 3.1 score 9.6, Critical
Windows Chrome statusNot included in the current published affected range
Detection statusNo CVE-specific indicators supplied in the available record
Fleet statusCount of affected, corrected, not-applicable, and unknown Macs
This format keeps the report tied to the available facts. It avoids mixing the vulnerability’s product scope with broader Chrome maintenance, avoids claiming that unknown devices are confirmed vulnerable, and avoids implying that a severity score proves active exploitation.
Where an organization maintains exceptions, each exception should identify the affected Mac, its last confirmed Chrome version, the reason deployment has not completed, the responsible owner, and a review date. Those are administrative controls rather than facts supplied by the CVE record, but they can help prevent confirmed affected installations from being lost after the initial advisory cycle.

What Defenders Should Carry Forward​

The established facts support prompt and narrowly scoped remediation:
  • CVE-2026-13785 affects Google Chrome on macOS before version 150.0.7871.47.
  • The current record does not place Chrome on Windows within the affected range.
  • The vulnerability is classified as a CWE-416 use-after-free in Chrome’s Bluetooth component.
  • The published description establishes a crafted HTML page plus specific user-interface gestures.
  • Successful exploitation could potentially escape the browser sandbox.
  • NIST NVD and CISA-ADP display a 9.6 Critical CVSS 3.1 score.
  • The supplied SSVC values are exploitation none, automatable no, and technical impact total.
  • The supplied record provides no exploit indicators or CVE-specific detection logic.
  • The remediation target is Chrome for Mac 150.0.7871.47 or later.
CVE-2026-13785 is significant because it combines a memory-safety flaw with the potential to cross an important browser containment boundary. The public information remains limited, however: it does not reveal the required gestures, the crafted page, the internal exploitation mechanics, or a signature that would let defenders identify a successful attack.
That leaves administrators with a concrete response. Find the Macs, determine which ones run Chrome, update versions below 150.0.7871.47, and confirm the corrected installed version. Do not broaden the advisory into an unsupported Windows Chrome warning, and do not replace the fixed-version boundary with speculative Bluetooth controls or detection claims.
For Windows-centric organizations, the lasting lesson is straightforward: a macOS-specific vulnerability can still belong to the central Windows-oriented security team when that team owns enterprise inventory and patch accountability. Accurate platform scope and complete visibility are complementary goals. Keep the CVE limited to the product identified by the record, while ensuring that every managed Mac remains visible enough to receive the fix.

References​

  1. Primary source: NVD / Chromium
    Published: 2026-07-11T15:39:28-07:00
  2. Security advisory: MSRC
    Published: 2026-07-11T15:39:28-07:00
    Original feed URL
  3. Related coverage: cvefeed.io
  4. Related coverage: chromium.googlesource.com
  5. Related coverage: issues.chromium.org
 

Back
Top