CVE-2026-13889: Update Chrome on iOS to 150.0.7871.47

Chrome on iOS before version 150.0.7871.47 is affected by CVE-2026-13889, a medium-severity side-channel vulnerability that may allow a remote attacker to use crafted HTML to leak cross-origin data through Chrome’s WebAuthentication handling. The documented impact is a browser-confidentiality failure, not code execution or device takeover. The available record does not establish active exploitation, passkey theft, or exposure in desktop Chrome, Chrome on Android, Safari, or other browsers. The practical response is straightforward: update Chrome on every affected iPhone to version 150.0.7871.47 or later.

At a glance​

Who is affected: Users running Chrome on iOS earlier than version 150.0.7871.47
What to do: Update Chrome through Apple’s App Store, then verify that the installed version is 150.0.7871.47 or later
What is not established: Passkey theft, arbitrary code execution, device takeover, desktop Chrome exposure, Android exposure, Safari exposure, or active exploitation

A phone displays a Chrome update prompt beside a shield blocking third-party data leakage and protecting passkeys.Chrome on iOS Is the Documented Product Boundary​

The strongest scope conclusion in the public record is also the easiest one to miss: CVE-2026-13889 is documented as affecting Chrome on iOS before version 150.0.7871.47.
That distinction matters because the vendor reference associated with the CVE has desktop-oriented framing. Administrators who classify vulnerabilities from advisory titles alone could therefore attach the issue to Windows, macOS, or Linux Chrome deployments while overlooking the affected iPhone population.
The available record does not establish that desktop Chrome, Chrome on Android, Safari, or other iOS browsers are affected by this CVE. That should not be expanded into a claim that those products are immune to every similar issue. It means only that they are outside the documented scope of CVE-2026-13889.
Deployment stateChrome on iOS versionPractical interpretation
OutdatedEarlier than 150.0.7871.47Affected; update the application
Remediated threshold150.0.7871.47Meets the stated fixed-version boundary
Newer releaseLater than 150.0.7871.47Outside the documented affected range
For Windows-focused organizations, an iOS vulnerability can still create enterprise exposure. Employees may use iPhones to reach Microsoft 365, identity portals, remote-management tools, internal applications, financial systems, source-code platforms, and other services belonging to a predominantly Windows environment.
The relevant question is not whether the vulnerable endpoint runs Windows. It is whether an outdated Chrome installation on an iPhone can access sensitive organizational web sessions.

A Medium Rating Still Describes a Browser-Boundary Failure​

CVE-2026-13889 is described as a side-channel issue involving Chrome’s WebAuthentication handling. A crafted HTML page may allow a remote attacker to leak cross-origin data from a vulnerable browser.
Cross-origin isolation is one of the web’s central security boundaries. A page controlled by one site should not be able to inspect information associated with an unrelated bank, corporate portal, email service, identity provider, or administrative console.
The available disclosure does not explain exactly what data can be inferred, how much information may be exposed, or which browser operations create the side channel. The linked Chromium issue is permission-restricted, so defenders do not have a complete public exploit narrative.
That lack of detail is a reason to avoid speculation, not a reason to postpone the update. The confirmed remediation boundary is enough to support a version-based response.
The CISA-ADP CVSS 3.1 assessment displayed in the NVD record gives the issue a base score of 6.5 with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. In practical terms, the assessment characterizes the issue as:
  • Reachable through network-delivered content
  • Low in attack complexity
  • Requiring no attacker privileges
  • Requiring some user interaction
  • Carrying high confidentiality impact
  • Carrying no stated integrity or availability impact
User interaction most reasonably means that the victim must load or engage with attacker-controlled web content. That places the vulnerability outside the zero-click category, but visiting a link or page is an ordinary browser action and should not be treated as a strong protective control.
The rating also does not establish modification of browser data, arbitrary code execution, persistence, or denial of service. The reported consequence is information leakage across an origin boundary.

WebAuthentication Does Not Mean Passkeys Were Stolen​

WebAuthentication is associated with passkeys, security keys, device-backed credentials, and strong sign-in flows. Its appearance in the vulnerability description understandably raises questions about credential theft.
The documented impact does not establish that outcome.
The record does not say that private keys can be extracted, passkeys can be copied, authentication assertions can be forged, or accounts can be accessed without authorization. It describes a side-channel leak of cross-origin data involving WebAuthentication handling.
The component name identifies where the weakness manifests; it does not prove every possible security consequence associated with that component.
A side channel also differs from direct access. Instead of giving a hostile page ordinary permission to read another site’s information, a side channel may allow information to be inferred from observable differences in browser behavior, timing, state, responses, or related signals.
The public material does not identify the operative signal or the precise data exposed. Claims that the flaw reveals complete pages, passwords, account identifiers, authentication status, passkeys, or other specific information would therefore go beyond the documented evidence.
Users and administrators should not delete passkeys, replace security keys, reset every password, or re-enroll authenticators solely because an affected Chrome version is discovered. Those measures would require separate evidence of malicious-page exposure, suspicious authentication, or account compromise.
The direct remediation for this CVE is the Chrome update.

“Improper Input Validation” Describes the Weakness Class​

The record associates CVE-2026-13889 with CWE-20, Improper Input Validation. That is a broad weakness category indicating that untrusted input was not validated adequately before being processed or interpreted.
It does not reveal which WebAuthentication input was mishandled, which check was missing, or how the condition produced a cross-origin side channel.
The general security principle is clear even if the implementation details remain restricted. Browser boundaries depend on careful handling of origins, requests, state transitions, authenticator interactions, and data returned to web content. A validation failure may disclose information without corrupting memory, changing stored data, or granting conventional direct access.
That aligns with the published scoring: high confidentiality impact, but no stated integrity or availability impact.
Administrators should not fill the technical gap with assumptions drawn from unrelated WebAuthentication vulnerabilities or older browser research. The defensible facts are narrower:
  • The affected product is Chrome on iOS.
  • Versions before 150.0.7871.47 are affected.
  • Crafted HTML is the documented attack vehicle.
  • User interaction is required.
  • The reported consequence is cross-origin data leakage.
  • The available record does not establish active exploitation.
Those facts are sufficient to direct remediation without turning possibility into reported fact.

The Public Record Was Built in Layers​

The vulnerability record reflects contributions from multiple sources. The original CVE material supplied the description and product information, CISA-ADP added scoring and decision-support fields, and NIST added affected-platform analysis and reference classifications.
That layered process can produce fields that appear, change, or are removed by one contributor while similar information remains attributed to another. Vulnerability-management teams should therefore record the source of a score or classification rather than treating every field displayed by NVD as a completed NIST assessment.
The visible 6.5 rating is a CISA-ADP CVSS 3.1 assessment. It should be described that way instead of being presented as an independent NIST score.

Publication timeline​

Initial CVE publication — NVD published the CVE record with the vulnerability description, affected-version boundary, weakness information, and references supplied with the record.
CISA-ADP enrichment — CISA-ADP added a CVSS 3.1 assessment and an SSVC record indicating no known exploitation, non-automatable exploitation, and partial technical impact at the time of that assessment.
Weakness-field revision — CISA-ADP later removed its copy of the CWE-20 field, while the weakness classification remained represented elsewhere in the layered record.
NIST analysis — NIST added affected software configuration information that associates the vulnerable Chrome range with Apple’s iPhone operating system and classified the attached references.
The practical lesson is that a newly published CVE entry is not necessarily static. Administrators should monitor it for changes in affected products, scoring, exploitation status, and remediation guidance, while continuing to enforce the already documented fixed-version threshold.

Exact iPhone Remediation Steps​

Updating Chrome on a Windows PC does not update Chrome on an iPhone. Each affected iPhone must receive the iOS application update independently.

Update Chrome through the App Store​

  1. Open the App Store on the iPhone.
  2. Tap the user’s profile picture or account button in the upper-right corner.
  3. Scroll to the pending app updates.
  4. Find Google Chrome.
  5. Tap Update next to Chrome.
  6. If Chrome is not listed, pull down on the account screen to refresh the available updates.
  7. Wait for the installation to complete, then reopen Chrome.
Users can also search for Google Chrome in the App Store and tap Update on its product page if that button appears. If the App Store shows Open instead, the newest Chrome release currently available to that Apple account and device is already installed.

Verify the installed Chrome version​

After the update:
  1. Open Chrome.
  2. Tap More, represented by the three-dot menu.
  3. Tap Settings.
  4. Tap Google Chrome.
  5. Read the installed version shown on that screen.
  6. Confirm that it is 150.0.7871.47 or later.
The version check is important because assigning or initiating an update does not prove that installation succeeded. If the displayed number is still below 150.0.7871.47, return to the App Store and check again.
If the fixed release is not offered immediately, the user should retry after refreshing the App Store and confirm that the iPhone can download application updates. Until the update is available and verified, avoiding sensitive browsing in the outdated Chrome installation is a reasonable temporary precaution. It is not a permanent substitute for patching.

Sparse Disclosure Makes Version Evidence More Important​

Because the underlying issue details are restricted, organizations cannot reliably build a detection rule around a publicly documented exploit sequence. Version evidence is therefore the clearest basis for finding and closing exposure.
A device should not be marked remediated merely because:
  • The Chrome update was assigned
  • Automatic application updates are enabled
  • The App Store reports that an update is available
  • The device checked in before the update was released
  • Chrome is listed as an installed application without a version number
Administrators need a recent inventory record showing Chrome on iOS at version 150.0.7871.47 or later.
Mobile inventory can be incomplete, especially in bring-your-own-device environments. Where direct version collection is unavailable, organizations may need to combine user instructions, compliance attestations, supported mobile-management controls, and existing access policies.
The desktop framing of the linked vendor page also deserves attention. Vulnerability scanners or ticketing rules that infer platform scope from reference titles may classify the CVE incorrectly. Security teams should verify that the affected population is built from the CVE’s documented iOS product range rather than from the advisory title alone.

Practical Guidance for Administrators​

The immediate task is to identify outdated Chrome installations and verify the update. Broader incident-response action is not justified without additional evidence.

Action checklist for admins​

  • Inventory Chrome on managed or enrolled iPhones, including the installed version and latest check-in time.
  • Mark every Chrome on iOS installation earlier than 150.0.7871.47 as affected.
  • Push or require the current App Store release through the organization’s normal mobile application-management process.
  • Recheck the installed version after deployment rather than treating update assignment as proof of remediation.
  • Review scanner and ticket-routing rules for errors caused by the desktop-oriented framing of the linked advisory.
  • Prioritize verification on devices used for administrative, identity-sensitive, financial, healthcare, development, or other confidential web sessions.
  • Use established noncompliance or access-control procedures for devices that remain outdated, where organizational policy permits.
  • Monitor the NVD record and vendor communications for changes in scope, exploitation status, or technical guidance.
Organizations should label any additional exposure-reduction steps accurately. Asking users to avoid unknown links is sensible general security advice, but it is not a reliable compensating control for an unpatched browser. Temporarily steering sensitive activity away from outdated Chrome may reduce risk, but the fixed version remains the remediation.

What Users and Help Desks Should Not Do​

Finding an affected version is not proof that data was leaked. A vulnerable application becomes an incident only when relevant exposure and exploitation conditions are present.
Without separate evidence, users and help desks should not:
  • Reset all passwords
  • Delete or replace passkeys
  • Re-enroll every authenticator
  • Wipe the iPhone
  • Disable WebAuthentication across the organization
  • Remove Chrome synchronization from every account
  • Treat every affected user as compromised
  • Assume desktop Chrome or Android Chrome is exposed to this CVE
  • Report that attackers are actively exploiting the flaw
If telemetry or user reporting shows that an affected iPhone loaded suspicious content, the organization can investigate that event under its normal incident-response process. Account review, session revocation, credential changes, or authenticator replacement should follow evidence from that investigation rather than the CVE number alone.
A concise help-desk message is more useful than an alarmist one:
Update Google Chrome from the iPhone App Store. Then open Chrome and go to More, Settings, Google Chrome. Confirm the version is 150.0.7871.47 or later. No password or passkey reset is required solely because of this update notice.

The Risk Calls for Prompt Patching, Not an Emergency Declaration​

The available scoring presents a measured picture. CVE-2026-13889 is remotely reachable, low complexity, requires no attacker privileges, and may have significant confidentiality consequences. It also requires user interaction, has no stated integrity or availability impact, and had no known exploitation in the referenced assessment.
That combination supports prompt remediation without unsupported claims of an active crisis.
The most important WindowsForum-added correction is the product boundary: despite the desktop framing of the linked vendor reference, the documented affected population is Chrome on iOS earlier than 150.0.7871.47. Security teams should direct their effort toward iPhone inventory and App Store update verification rather than assuming that every Chrome platform shares the same exposure.
Future updates to the vulnerability record may provide more technical detail, revise scoring, or change the exploitation assessment. Administrators should monitor those developments, but they do not need to wait for them. The current action remains clear and verifiable: update Chrome on affected iPhones and confirm that every installation reports version 150.0.7871.47 or later.

References​

  1. Primary source: NVD / Chromium
    Published: 2026-07-11T15:40:14-07:00
  2. Security advisory: MSRC
    Published: 2026-07-11T15:40:14-07:00
    Original feed URL
  3. Related coverage: chromium.googlesource.com
  4. Related coverage: vulnerability.circl.lu
 

Back
Top