CVE-2026-13878: Update Chrome for macOS to 150.0.7871.47

Affected Macs running Google Chrome below 150.0.7871.47 should update, relaunch the browser, and verify the complete installed version. CVE-2026-13878 is a renderer-compromise-to-sandbox-escape issue involving Chrome’s Bluetooth component, not a proven proximity-based Bluetooth attack.
PlatformChrome range in the published configurationRecord statusPractical interpretation
macOSBefore 150.0.7871.47Identified as affectedUpdate to 150.0.7871.47 or later, relaunch Chrome, and verify the complete version
WindowsNo affected configuration listedNot identified by this CVE recordDo not transfer the Mac-specific finding to Windows without additional vendor evidence
LinuxNo affected configuration listedNot identified by this CVE recordThe published record does not establish Linux exposure
The published affected range ends before 150.0.7871.47. That makes 150.0.7871.47 or a later approved stable release the practical remediation target, but the available record should not be paraphrased as an explicit vendor statement that this exact build fixes CVE-2026-13878 unless the corresponding Google advisory is also provided.

A laptop shows a Chrome update prompt beside browser sandbox security and version-verification graphics.What individual Mac users should do​

  1. Open Google Chrome.
  2. Use the standard Chrome update path: Chrome menu > Help > About Google Chrome.
  3. Read the complete version number displayed on the page.
  4. Confirm that it is 150.0.7871.47 or later.
  5. If Chrome offers a Relaunch control, select it.
  6. After Chrome reopens, return to the About page and verify the complete version again.
  7. If the version remains below 150.0.7871.47, follow the organization’s approved update process or contact its administrator.
The menu sequence above is Chrome’s standard update and version-check path; it is operational guidance, not a procedure derived from the CVE record itself. Users should compare the full dotted version number rather than relying on the major version “150.”

The Attack Begins After Another Defense Has Already Failed​

The defining condition in the vulnerability description is that the attacker has already compromised the renderer process before attempting to exploit the Bluetooth use-after-free through a crafted HTML page.
That prerequisite places CVE-2026-13878 later in a possible exploit chain. The vulnerability is not described as providing the initial renderer compromise. Instead, it may allow an attacker who already controls that restricted browser process to attempt to cross the sandbox boundary.
This distinction reduces the risk of misleading headlines without making the vulnerability unimportant. Chrome’s renderer sandbox is intended to contain hostile or compromised web content. A flaw that may help an attacker move beyond that containment boundary is worth prompt remediation, even when it cannot independently provide the attacker’s first foothold.
The public description identifies crafted HTML as the delivery mechanism. The CISA-ADP assessment records a network attack vector and required user interaction, but the supplied material does not define the exact interaction or provide a public exploit sequence. It therefore does not support claims about a specific click, permission prompt, download, Bluetooth pairing action, peripheral, or browser gesture.
CISA-ADP’s Stakeholder-Specific Vulnerability Categorization contribution lists exploitation as none and automatable as no. Those entries mean that exploitation was not identified in that assessment and that the vulnerability was not categorized as readily automatable. They do not guarantee that exploitation is impossible or that the status cannot change.
The accurate threat summary is narrow: crafted web content may allow an attacker who already controls a Chrome renderer on an affected Mac to exploit a use-after-free in the Bluetooth component and attempt a sandbox escape. The record does not establish an active campaign or a standalone attack against an otherwise uncompromised browser.

“Bluetooth” Identifies the Component, Not the Attack’s Physical Range​

The Bluetooth label can easily be mistaken for evidence of a nearby wireless attack. The supplied description does not say that an attacker must be physically close to the Mac, pair a malicious peripheral, impersonate a headset, or transmit a hostile Bluetooth radio packet.
Instead, the documented path involves crafted HTML after renderer compromise, and the CISA-ADP assessment records a network attack vector. Bluetooth is the affected Chrome component, but the record does not describe proximity as the means of delivery.
Administrators should therefore avoid presenting Bluetooth shutdown, peripheral disconnection, or device unpairing as substitutes for updating Chrome. The record does not establish those actions as complete mitigations. The direct remediation remains version-based: identify affected Macs, update Chrome, relaunch it when required, and verify the resulting version.
Platform scope is equally important. The published configuration identifies Google Chrome on macOS before 150.0.7871.47. It does not identify Google Chrome on Windows or Linux as affected by this CVE.
That does not mean Windows and Linux browsers should be left outdated. It means routine browser maintenance and CVE-specific exposure are different questions. Organizations can maintain a broad Chrome patching policy while keeping the CVE-2026-13878 finding limited to the product, platform, and version range supported by the published record.
For WindowsForum readers, this is a practical warning about vulnerability attribution. A Windows-focused security team may still own patch compliance for Macs, but it should not turn a Mac-specific entry into a Windows Chrome alert merely because Chrome is installed on both platforms.

A Use-After-Free Creates a Memory-Lifetime Risk​

The record associates CVE-2026-13878 with CWE-416, Use After Free, and identifies Chrome’s Bluetooth component as the affected area.
A use-after-free occurs when software continues to reference an object after the memory associated with that object has been released. Because the freed memory may be reused, vulnerable code can later operate on data that no longer represents the original object. Depending on the surrounding implementation and attacker control, this class of defect can cause a crash or create more serious security consequences.
The available material does not provide enough technical detail to describe the exact memory state, triggering sequence, or exploitation method for CVE-2026-13878. The linked Chromium issue is marked Permissions Required, limiting what can be confirmed from the public issue reference.
Reports should consequently avoid inventing Bluetooth API calls, object layouts, allocation behavior, required hardware, permission decisions, or exploit-reliability conditions. The supported conclusion is simpler: this is a use-after-free in Chrome’s Bluetooth component that may permit a sandbox escape after the renderer has already been compromised.
The word may remains important. The description states a potential security outcome, not a guarantee that every attempt will succeed on every affected Mac. That uncertainty does not weaken the version-based remediation instruction because affected installations can be identified without reproducing the vulnerability.

The Sandbox Boundary Is the Central Security Concern​

The most important potential consequence is movement beyond the compromised renderer’s restricted environment. Browser renderers process untrusted web content and are deliberately isolated so that a flaw in page handling does not automatically become unrestricted endpoint access.
CVE-2026-13878 matters because the published description places the Bluetooth use-after-free at that containment boundary. The attacker is assumed to have achieved renderer compromise already; this vulnerability may then provide a route toward escaping the sandbox.
CISA-ADP records changed scope and High impact for confidentiality, integrity, and availability in its CVSS contribution. Its SSVC data separately records:
  • Exploitation: none
  • Automatable: no
  • Technical impact: total
These values describe a vulnerability with potentially severe technical consequences if the documented conditions are met, but without identified exploitation in the supplied assessment. A high potential impact does not itself prove that attacks are occurring.
This supports a measured response: patch affected Macs promptly, but do not classify an endpoint as compromised merely because it runs an affected version. Version exposure is a vulnerability-management finding; evidence of malicious activity is an incident-response finding.

Medium and 9.6 Critical Reflect Different Assessment Lenses​

Chromium classifies CVE-2026-13878 as Medium, while the CISA-ADP CVSS 3.1 contribution produces a base score of 9.6 CRITICAL. NVD displays the CISA-ADP score but does not provide a separate NVD-authored CVSS assessment in the supplied record.
The two labels emphasize different aspects of the issue. Chromium’s project-specific rating appears alongside a substantial exploit-chain prerequisite: the attacker must already have compromised the renderer. CVE-2026-13878 is not described as creating that initial position.
The CISA-ADP vector emphasizes the characteristics and potential consequences of successfully exploiting the vulnerable stage. It records a network vector, low attack complexity, no privileges required, required user interaction, changed scope, and High confidentiality, integrity, and availability impact.
The vector’s PR:N value should not be rewritten as “no prerequisites.” In CVSS terms, it indicates that legitimate privileges in the target environment are not required. The written vulnerability description separately establishes prior renderer compromise as a technical condition in the attack sequence.
Neither assessment should be stripped of its attribution or context. Saying only that the flaw is Medium can obscure the possible effect of a successful sandbox escape. Saying that “NVD rates an unauthenticated Mac takeover 9.6” would misattribute the score and omit the renderer-compromise prerequisite and required user interaction.
A concise and accurate internal entry is:
Chromium rates CVE-2026-13878 Medium. NVD displays a CISA-ADP CVSS 3.1 score of 9.6 Critical, while no separate NVD-authored CVSS assessment is provided in the available record.
Patch priority and current attack prevalence remain separate questions. The potential impact supports prompt remediation; the supplied exploitation status does not establish an active campaign.

The Record Was Enriched in Stages​

The supplied record reflects contributions from different organizations rather than a single unified assessment.

Timeline​

June 30, 2026: NVD published the CVE record containing the Chrome-originated vulnerability information.
July 1, 2026: CISA-ADP and NIST enrichment added assessment and affected-configuration information, including the contributed CVSS and SSVC data and the macOS-specific product mapping.
This sequence explains why security products may display different combinations of severity, weakness, platform, and exploitation information depending on when they ingested or refreshed the record. It does not change the immediate operational boundary: the published affected configuration identifies Google Chrome on macOS before 150.0.7871.47.
Attribution should be preserved when the finding is documented:
  • Chromium supplies the Medium project severity.
  • CISA-ADP supplies the 9.6 Critical CVSS 3.1 contribution.
  • CISA-ADP supplies the SSVC values.
  • NVD displays those contributions and the affected configuration.
  • No separate NVD-authored CVSS assessment appears in the supplied record.
A scanner or dashboard may reduce this material to one headline score. Administrators should retain the source labels because the numerical score, vendor severity, affected range, and exploitation status answer different operational questions.

Remediation Is a Platform-and-Version Check​

The published affected range ends before Chrome 150.0.7871.47 on macOS. A Mac reporting an earlier complete version remains within that range. A Mac reporting 150.0.7871.47 or a numerically later supported version lies outside it.
The CVE threshold is a minimum remediation boundary, not a recommendation to pin every Mac permanently to that build. If a later approved stable version is already installed, administrators should not downgrade Chrome to match the threshold.

Concise administrator validation checklist​

  • Identify managed macOS devices with Google Chrome installed.
  • Collect the complete installed Chrome version from each Mac.
  • Mark versions below 150.0.7871.47 as affected.
  • Update affected installations to 150.0.7871.47 or a later approved stable release.
  • Ensure Chrome is relaunched when required for the update to take effect.
  • Collect fresh version evidence after deployment and relaunch.
  • Keep devices with missing, stale, or conflicting version data in an unknown state until validated.
  • Record Chromium’s Medium rating and CISA-ADP’s 9.6 Critical score as separate assessments.
  • Record that exploitation was listed as none in the supplied SSVC assessment.
  • Exclude Windows and Linux Chrome from this CVE’s affected inventory unless authoritative product-specific evidence expands the scope.
The closure criterion should be equally direct: every in-scope Mac either reports Chrome 150.0.7871.47 or later, or remains assigned for follow-up because its current version cannot yet be established.
A successful software-distribution action is not necessarily the same as a verified browser version. The useful evidence is the complete Chrome version reported after remediation, particularly where a relaunch was required.

Scanner Results Should Preserve the Mac-Only Scope​

CVE-2026-13878 is a useful test of whether a vulnerability-management system can preserve context instead of importing only the highest visible score.
A defensible finding needs four pieces of information:
DimensionWhat the supplied record establishes
Product and platformGoogle Chrome on macOS
Affected rangeVersions before 150.0.7871.47
Attack conditionThe renderer has already been compromised; crafted HTML is involved
Assessment statusCISA-ADP scores 9.6 Critical and lists exploitation as none
Scanner logic should validate both macOS and the complete Chrome version. A result against Windows or Linux should be checked against the published affected configuration rather than accepted solely because Google Chrome is installed.
The same product-specific discipline applies to Microsoft Edge and other Chromium-derived browsers. Shared Chromium ancestry does not prove that another browser contains the vulnerable code in the same form, exposes it under the same conditions, or uses Chrome’s version boundary. Each browser should be evaluated through its own vendor information.
Teams should also avoid using the CISA-ADP score as evidence that exploitation has occurred. A high base score represents modeled technical severity. It does not establish attack activity, endpoint compromise, or the existence of a public exploit.
Conversely, Chromium’s Medium rating should not become an automatic reason to defer remediation. The published range provides an uncomplicated version test, and the potential consequence involves an important browser containment boundary. Updating affected Macs is lower-risk than debating which single label should dominate.

Windows Teams Still Have a Role​

A macOS-specific CVE can remain relevant to a Windows-oriented operations team. Many organizations centralize browser governance, vulnerability tickets, software inventory, or patch accountability even when most endpoints run Windows.
The appropriate response is not to broaden the vulnerability to Windows. It is to make sure that Macs remain visible to the same operational processes. The security team should be able to identify which Macs run Chrome, determine their full versions, deploy an approved update, and produce post-remediation evidence.
This is the broader WindowsForum value of the issue: broad administrative responsibility should not produce broad unsupported technical claims. Windows teams can own the Mac remediation while keeping the CVE attached only to the platform established by the record.

The Public Record Supports Prompt Action, Not Panic​

CVE-2026-13878 is a Chrome Bluetooth use-after-free that may help an attacker escape the renderer sandbox after the renderer has already been compromised. The affected configuration is limited to Google Chrome on macOS before 150.0.7871.47, and the supplied assessment does not identify exploitation.
The response is concrete: find affected Macs, update Chrome, relaunch it, and verify the complete version. Do not substitute Bluetooth configuration changes for the browser update, do not copy the Mac finding to Windows or Linux, and do not treat a vulnerable version as proof of compromise.
The Medium-versus-9.6 discrepancy is best handled through attribution rather than argument. Chromium supplies the project severity; CISA-ADP supplies the standardized score and SSVC context; NVD displays the contributed data and platform configuration. Together, those elements describe a potentially severe second-stage vulnerability with a meaningful prerequisite and no confirmed exploitation in the supplied assessment.
The immediate security boundary is therefore clear even while the deeper technical details remain restricted. A Mac below 150.0.7871.47 requires remediation. A Mac at or above that threshold requires recorded verification. Everything beyond those conclusions should remain tied to new authoritative evidence rather than speculation.
That discipline will remain important as browser vulnerability records continue to combine vendor descriptions, external scoring, platform enrichment, and evolving metadata. Administrators who preserve product scope, source attribution, and complete version evidence will be able to patch quickly without turning every alarming component name or numerical score into a claim the public record does not support.

References​

  1. Primary source: NVD / Chromium
    Published: 2026-07-11T15:39:38-07:00
  2. Security advisory: MSRC
    Published: 2026-07-11T15:39:38-07:00
    Original feed URL
  3. Related coverage: chromium.org
  4. Related coverage: chromium.googlesource.com
  5. Related coverage: developer.chrome.com
 

Back
Top