CVE-2026-13819: Chrome macOS Fix Is 150.0.7871.47

Affected: Google Chrome on macOS before 150.0.7871.47. Fix: update to 150.0.7871.47 or later. Windows and Linux are not listed in this CVE configuration.
CVE-2026-13819 is a High-severity out-of-bounds read in Chrome’s ANGLE component. The Chrome-originated description says an attacker who had already compromised the renderer process could use crafted HTML to trigger the flaw. That prerequisite is central to an accurate reading: the record does not describe CVE-2026-13819 as independently compromising an otherwise intact renderer, providing remote code execution, escaping the browser sandbox, or taking control of macOS.
The practical response is nevertheless clear. Macs running Chrome below the fixed boundary should be updated, and administrators should verify the complete installed version rather than relying on a general “Chrome 150” label. The published configuration is platform-specific, so Windows and Linux systems should not be treated as affected by this CVE without additional authoritative product information.

Security infographic urges updating Chrome on macOS to address an ANGLE out-of-bounds memory vulnerability.A High Score Does Not Erase the Attack Prerequisite​

Chrome classifies CVE-2026-13819 as High severity. The CISA-ADP assessment displayed in the vulnerability record assigns it a CVSS 3.1 base score of 8.1 HIGH with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H.
Those labels describe a significant vulnerability, but they do not replace the Chrome-authored prose. The description expressly places the attacker in an already compromised renderer before the out-of-bounds read becomes available through crafted HTML. The record does not say that opening the crafted page, by itself, creates that renderer compromise.
The narrow and defensible description is therefore:
  • The affected product is Google Chrome on macOS.
  • Versions earlier than 150.0.7871.47 are within the affected range.
  • The weakness is classified as CWE-125, Out-of-bounds Read.
  • Crafted HTML is involved.
  • The attacker is assumed to have already compromised the renderer process.
  • The documented result is an out-of-bounds memory read.
  • The record does not describe the CVE as standalone remote code execution.
This distinction is not an argument for postponing the update. It is an argument for communicating the vulnerability precisely. Calling every browser memory flaw “RCE” may produce urgency, but it also obscures which security boundary the documented behavior reaches and which prerequisite is already assumed.
CVE-2026-13819 can be serious without being converted into a complete attack narrative. The available facts establish the vulnerable condition and the corrective version. They do not establish a companion renderer exploit, a sandbox escape, operating-system control, persistence, credential theft, or any other later-stage outcome.

The Documented Behavior Is an Out-of-Bounds Read​

Chrome identifies the issue in ANGLE and maps it to CWE-125. Beyond those facts, the supplied record does not provide enough technical detail to explain the relevant ANGLE code path, the exact object involved, the layout of the accessed memory, or the content that could be returned.
That limitation matters. An out-of-bounds read is a recognized memory-safety weakness, but the weakness category alone does not prove that a particular type of secret, pointer, credential, token, file, or cross-origin data can be recovered in this case. It also does not establish that the read can be converted into code execution or used to defeat a specific mitigation.
The public description supports saying that the affected operation could read beyond its intended boundary after renderer compromise. It does not support naming the data that would be exposed in a practical exploit. It also does not provide a public proof of concept, exploit sample, indicator of compromise, or confirmed malicious campaign.
The CVSS vector records High confidentiality and availability impact and None for integrity. Those are the contributed assessment values, not a substitute for missing exploit details. In particular, the None integrity value is consistent with the record describing a read rather than claiming that this CVE directly writes or modifies arbitrary memory.
Administrators do not need a more elaborate technical theory to act. The vulnerable range is measurable, the corrected boundary is explicit, and the appropriate control is to remove affected Chrome versions from managed Macs.

CVSS and SSVC Answer Different Questions​

The CISA-ADP CVSS 3.1 vector records the following attributes:
MetricRecorded value
Attack vectorNetwork
Attack complexityLow
Privileges requiredNone
User interactionRequired
ScopeUnchanged
Confidentiality impactHigh
Integrity impactNone
Availability impactHigh
Base score8.1 HIGH
These fields should be read together with the vulnerability description. “Privileges required: none” is a CVSS authorization metric; it does not delete the separately documented condition that the renderer has already been compromised. Similarly, Low attack complexity describes the contributed scoring assessment under its modeled conditions. It does not prove that obtaining the required renderer position is itself a low-complexity or single-step operation.
The displayed 8.1 score should remain attributed to CISA-ADP. The supplied record did not contain a separate NIST CVSS 4.0, CVSS 3.x, or CVSS 2.0 assessment. Describing 8.1 simply as “the NVD score” would hide the origin of the calculation.
The provided CISA Coordinator SSVC snapshot records:
  • Exploitation: none
  • Automatable: no
  • Technical impact: partial
Those values are useful context, but they are not a complete prioritization directive or a service-level recommendation. “Exploitation: none” records the assessment represented by that snapshot; it does not promise that the status can never change or establish that private exploitation is impossible. “Automatable: no” and “technical impact: partial” should likewise be reported as selected SSVC values rather than expanded into an unsupported operational mandate.
CVSS and SSVC can coexist without contradiction because they capture different dimensions of the record. The CVSS contribution assigns a High technical severity score. The SSVC snapshot does not record known exploitation and characterizes automation and technical impact more narrowly. Neither system changes the affected product or the fixed-version boundary.

The macOS Scope Is the Most Important Applicability Fact​

The supplied NVD configuration identifies Google Chrome on Apple macOS as affected when the Chrome version is earlier than 150.0.7871.47. Windows and Linux are not listed in that configuration.
That statement must remain carefully bounded. The absence of Windows and Linux from this CVE configuration means the supplied record does not identify those platforms as affected. It is not proof about every possible related code path, every Chromium branch, or every downstream browser product.
DeploymentVersion stateWhat the supplied CVE record supports
Google Chrome on macOSEarlier than 150.0.7871.47Listed within the affected configuration
Google Chrome on macOS150.0.7871.47 or laterAt or beyond the published fixed boundary
Google Chrome on WindowsAny versionWindows is not listed in the supplied affected configuration
Google Chrome on LinuxAny versionLinux is not listed in the supplied affected configuration
Microsoft Edge or another Chromium-derived productAny versionNot established by this Google Chrome CVE configuration
The Windows and Linux rows are not declarations that every build on those platforms is technically incapable of containing related code. They are applicability statements based on the supplied CVE configuration. If another vendor or an updated authoritative record later identifies additional products or platforms, those products should be assessed under that information.
For the same reason, Chrome’s version threshold should not automatically be assigned to Microsoft Edge or another Chromium-derived browser. The record names Google Chrome, uses a Chrome build number, and pairs the affected application with macOS. Shared Chromium ancestry is not sufficient evidence that another vendor shipped the affected revision, exposes the same vulnerable path, or uses the same corrected-version boundary.
The correct product-specific approach is straightforward:
  1. Apply the Chrome threshold to Google Chrome on macOS.
  2. Use Microsoft’s own advisories and release information for Microsoft Edge.
  3. Use the relevant vendor’s information for every other Chromium-derived product.
  4. Do not convert codebase similarity into a confirmed CVE finding without product-specific evidence.

Renderer Compromise Is a Required Condition​

The phrase “had compromised the renderer process” is a required part of the vulnerability description, not optional background. It establishes that the documented out-of-bounds read occurs from a position the attacker has already obtained.
The supplied record does not say how that renderer compromise occurs. It does not identify a companion CVE, a delivery campaign, a public exploit, or an affected renderer feature that provides the initial foothold. Naming any such path would go beyond the available evidence.
The record also does not describe what happens beyond the out-of-bounds read. There is no documented sandbox escape, privilege escalation, kernel transition, arbitrary code execution, or macOS takeover attributed to CVE-2026-13819. Those outcomes should not be attached to the CVE merely because they may appear in generic discussions of browser security.
At the same time, the prerequisite does not make the version safe. A system running a version explicitly included in the affected range remains within the documented vulnerable configuration. Defenders can acknowledge the prerequisite while still completing a prompt, version-based remediation.
This produces a balanced operational statement: CVE-2026-13819 is not documented as the initial renderer compromise, but affected Mac installations should still be moved to the corrected Chrome version.

What the Public Record Does—and Does Not—Establish​

A disciplined vulnerability report should separate confirmed facts from possibilities that are not documented for this CVE.

The record establishes​

  • Google Chrome is the affected product.
  • The supplied configuration identifies Apple macOS.
  • Chrome versions before 150.0.7871.47 are affected.
  • Chrome 150.0.7871.47 is the fixed boundary.
  • The affected component is identified as ANGLE.
  • The weakness is an out-of-bounds read classified as CWE-125.
  • Crafted HTML is part of the described trigger.
  • The attacker is assumed to have already compromised the renderer.
  • Chrome rates the issue High.
  • CISA-ADP contributes an 8.1 HIGH CVSS 3.1 score.
  • The provided SSVC snapshot records exploitation none, automatable no, and technical impact partial.

The record does not establish​

  • Standalone remote code execution.
  • Initial renderer compromise through this CVE alone.
  • A sandbox escape.
  • Administrator or root access to macOS.
  • Persistence on the endpoint.
  • A specific category of exposed memory contents.
  • Recovery of credentials, tokens, pointers, files, or cross-origin data.
  • Bypass of a named browser or operating-system mitigation.
  • A working public exploit or proof of concept.
  • Active exploitation or a known attack campaign.
  • Applicability to Windows or Linux.
  • Applicability to Microsoft Edge or every Chromium-derived browser.
  • A platform-independent Chrome 150 release event or rollout schedule.
  • A CVE-specific workaround equivalent to installing the fixed version.
This boundary keeps the article useful to both technical and operational readers. It avoids understating a High-severity memory-safety defect while preventing unsupported outcomes from being presented as facts.

The Record Was Enriched in Stages​

The supplied facts support a short sequence of record development, but not the previously asserted June and July calendar dates or detailed claims about every field added and removed. Those dates and unsupported change descriptions should not be repeated.

Timeline​

Initial Chrome-originated CVE information: The core record identified Google Chrome, ANGLE, the out-of-bounds read, crafted HTML, the renderer-compromise prerequisite, the macOS applicability, and the fixed-version boundary.
CISA-ADP assessment: The displayed record received the contributed CVSS 3.1 vector and 8.1 HIGH score, along with the SSVC values recording exploitation as none, automatable as no, and technical impact as partial.
NIST/NVD analysis: The vulnerability record presented the affected-product configuration pairing Google Chrome below the fixed boundary with Apple macOS.
The important lesson is attribution. A vulnerability page can display information from Chrome, CISA-ADP, and NIST together even though those organizations contributed different parts of the record. The score should remain attributed to CISA-ADP, while the product and behavior should remain tied to the Chrome-originated CVE information.
The supplied material does not justify a more granular chronology of particular fields being added, removed, or normalized. Such details should be included only when the exact change-history entries are available.

Remediation Is a Version Check on Affected Macs​

For an affected Mac, the corrective threshold is Google Chrome 150.0.7871.47 or later.
A user can perform the direct browser check as follows:
  1. Open Google Chrome on the Mac.
  2. Go to chrome://settings/help.
  3. Confirm that the displayed version is 150.0.7871.47 or later.
  4. If Chrome requests a relaunch, select Relaunch.
  5. Return to chrome://settings/help and confirm the version after Chrome reopens.
For managed environments, use the organization’s established Chrome update process and require current version evidence showing that in-scope Macs have reached 150.0.7871.47 or later. The CVE record does not prescribe a particular endpoint-management product, software-distribution method, update policy, or reporting system.

Admin verification checklist​

  • Identify managed Macs on which Google Chrome is installed.
  • Obtain the complete installed Chrome version.
  • Mark versions earlier than 150.0.7871.47 as affected.
  • Apply Chrome 150.0.7871.47 or later through the organization’s managed update process.
  • Complete a requested Chrome relaunch.
  • Verify the displayed or reported version after remediation.
  • Keep installations with missing, stale, partial, or conflicting version information open as unverified.
  • Record the 8.1 score as a CISA-ADP assessment rather than an independently authored NIST score.
  • Do not assign the CVE to Windows, Linux, Edge, or another Chromium-derived browser without authoritative product-specific evidence.
The closure condition is concrete: an affected Mac must report Google Chrome 150.0.7871.47 or later. A management status such as “update assigned” or “task completed” may help track deployment, but the CVE-specific question is whether the resulting Chrome version meets the corrected boundary.

Windows Teams Should Validate Scope Without Inventing Exposure​

Windows administrators may still encounter CVE-2026-13819 in a general vulnerability feed, a cross-platform software inventory, or an internal security ticket. The appropriate response is to check the authoritative applicability data rather than automatically treating every Chrome installation as affected.
For a Windows endpoint, the supplied configuration does not provide a direct CVE basis for an affected finding. If an internal tool reports otherwise, administrators can treat that result as a hypothetical validation check:
  • Did the tool evaluate the macOS condition?
  • Did it rely only on the Google Chrome product name?
  • Did it compare the full version boundary?
  • Is the finding based on additional authoritative information not included in the supplied record?
  • Has the tool assigned a Google Chrome CVE to a different Chromium-derived browser?
These questions do not prove that a scanner flattened CPE data or produced a false positive. They are checks to perform when an automated result conflicts with the platform-specific configuration.
The same restraint applies to organizational ownership. It is possible that Chrome on macOS is managed by a different team or inventory system, but that is not a fact supplied by the CVE record. Organizations should simply ensure that the person or system responsible for managed Macs receives the version boundary and can return current compliance evidence.
A Windows-only environment can document that Windows is not listed in the supplied affected configuration. A mixed environment should pass the macOS remediation requirement to the appropriate endpoint-management process. Neither situation requires extending the CVE beyond its documented scope.

“Exploitation: None” Is a Recorded Snapshot​

The SSVC exploitation selection of “none” should be reported exactly for what it is: the value in the provided CISA Coordinator snapshot. It does not establish active exploitation, and the article should not describe CVE-2026-13819 as a confirmed zero-day or ongoing campaign.
It is equally important not to turn “none” into a permanent warranty. Vulnerability records can change as additional evidence emerges. If Chrome, CISA, NIST, or another authoritative product source later reports exploitation, expands the affected platforms, or revises the corrected version, defenders should reassess the issue using that updated information.
For the supplied snapshot, the complete SSVC statement is more useful than any single field:
  • Exploitation was recorded as none.
  • Automation was recorded as no.
  • Technical impact was recorded as partial.
These values should not be converted into an invented deadline, emergency tier, or instruction to avoid particular response measures. The record supplies context; each organization applies its own established vulnerability-management policy to that context.
The immediate technical control remains independent of that policy choice: Google Chrome on macOS below 150.0.7871.47 is within the documented affected range, and version 150.0.7871.47 or later crosses the published fix boundary.

The Last Word Should Be the Version, Not the Headline​

CVE-2026-13819 demonstrates why accurate product and platform matching matters as much as a severity label. The 8.1 CISA-ADP score is significant, but it does not erase the renderer-compromise prerequisite. The High Chrome classification warrants attention, but it does not turn an out-of-bounds read into documented standalone RCE. The Chrome product name may appear across several operating systems, but the supplied affected configuration identifies macOS rather than Windows or Linux.
For users, the response is short: on an affected Mac, open chrome://settings/help, update to Google Chrome 150.0.7871.47 or later, relaunch if requested, and verify the version.
For administrators, the response is measurable: identify Chrome installations on managed Macs, compare their complete versions with 150.0.7871.47, use the established managed update process, and retain current evidence that each in-scope installation crossed the boundary.
Future information could change the exploitation assessment or expand the product guidance. Until authoritative sources do so, the defensible conclusion is precise and limited: Google Chrome on macOS before 150.0.7871.47 is affected; 150.0.7871.47 or later is the fix boundary; Windows and Linux are not listed in this CVE configuration.

References​

  1. Primary source: NVD / Chromium
    Published: 2026-07-11T15:39:33-07:00
  2. Security advisory: MSRC
    Published: 2026-07-11T15:39:33-07:00
    Original feed URL
  3. Related coverage: security.snyk.io
  4. Related coverage: vulnerability.circl.lu
 

Attachments

  • windowsforum-cve-2026-13819-chrome-macos-fix-is-150-0-7871-47.webp
    windowsforum-cve-2026-13819-chrome-macos-fix-is-150-0-7871-47.webp
    175.7 KB · Views: 0
Back
Top