CVE-2026-13907: Update Chrome for iOS to 150.0.7871.47

Google disclosed CVE-2026-13907 on June 30, 2026, as a Medium-severity Chrome for iOS vulnerability affecting versions before 150.0.7871.47, in which a remote attacker can use a crafted HTML page and carefully induced screen gestures to spoof trusted-looking interface elements on an iPhone. The flaw does not arrive with the usual markers of a browser emergency: no reported exploitation, no critical score, and no evidence in the public record of a direct confidentiality breach. Its danger is subtler because it targets the point where users decide whether a screen, prompt, or action can be trusted. For consumers and enterprise administrators alike, this is a reminder that a browser can remain technically intact while its visual promises become unreliable.

A smartphone security interface separates a hooded hacker from protected devices and analytics.A Medium Bug That Attacks Confidence, Not Memory​

CVE-2026-13907 is described by Chrome and the National Vulnerability Database as an “inappropriate implementation” in iOSWeb. A remote attacker who persuades a victim to perform specific user-interface gestures on a crafted HTML page can reportedly cause UI spoofing, making attacker-controlled content misrepresent information that the user would ordinarily treat as authoritative.
That description is narrower than the language attached to memory-corruption vulnerabilities, sandbox escapes, or credential-stealing malware. There is no public claim that the flaw allows arbitrary code execution, direct data extraction, or control of the device. The attacker is instead manipulating presentation and interaction: the victim sees something, performs an action, and may draw the wrong conclusion about what Chrome is displaying.
CISA-ADP classified the weakness as CWE-451, User Interface Misrepresentation of Critical Information. That categorization is important because it identifies the security boundary being attacked. The weakness is not merely that a webpage can imitate a familiar login form—ordinary webpages have always been able to draw convincing graphics—but that a flawed implementation can reportedly let web content create a misleading relationship between what the page shows and what the browser or user appears to be doing.
The practical risk is therefore behavioral. A successful exploit would be valuable when the attacker needs the victim to approve a prompt, trust a destination, continue through an authentication workflow, or believe that a visual state belongs to the browser rather than the page. The public record does not establish which exact interface elements can be spoofed, and the associated Chromium issue requires permission, so claims about a specific phishing flow, prompt, or browser control would go beyond the available evidence.
That lack of detail should temper speculation, not urgency. Security teams do not need a public proof of concept to recognize the value of breaking the visual contract between a browser and its user. The vulnerable asset is trust itself, and trust is routinely the last control standing after an attacker has already delivered a convincing message or link.

The Gesture Requirement Is a Brake, Not a Shield​

The CISA-ADP CVSS v3.1 score is 4.2, placing the vulnerability in the Medium range. Its vector—AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L—describes a network-reachable flaw with high attack complexity, no privileges required, mandatory user interaction, unchanged scope, no direct confidentiality impact, and low integrity and availability effects.
Those characteristics explain why CVE-2026-13907 is not being treated as a critical browser compromise. An attacker does not merely send a packet or wait for a page to load. The victim must be convinced to engage in specific UI gestures, and the exploit appears to depend on conditions or sequencing complicated enough to earn a High attack-complexity rating.
But user interaction is not the same thing as meaningful protection. Modern social engineering is built around eliciting taps, swipes, confirmations, and repeated attempts. A malicious page can tell a visitor to swipe to continue, tap to reveal content, dismiss an obstruction, retry a payment, verify an age, or complete a security check. The gesture requirement means the attacker needs a script for the victim as well as a script for the browser.
That makes the flaw less suitable for indiscriminate drive-by exploitation but potentially compatible with targeted campaigns. An attacker who already has a believable pretext—a benefits notification, collaboration invitation, account warning, delivery message, or identity-verification request—may be able to incorporate the required movements into the supposed workflow. The exact scenario remains unconfirmed because the technical issue is not publicly readable, but the CVE description itself establishes that persuasion is part of the exploitation chain.
The “remote attacker” language also needs precision. It means the attacker can deliver the crafted HTML over a network and does not need physical access or an existing account on the device. It does not mean exploitation is silent, automatic, or guaranteed merely because a vulnerable user visits a page.
CISA-ADP’s Security-Specific Vulnerability Categorization assessment reinforces that distinction. It recorded exploitation as “none,” automatable as “no,” and technical impact as “partial.” In operational terms, that is a signal to patch through normal accelerated browser-maintenance channels rather than to assume an active, self-propagating mobile crisis.

The Score Describes the Exploit, Not the Phishing Campaign Around It​

CVSS is useful for describing the intrinsic technical properties of a vulnerability, but it does not calculate the full business impact of every campaign that might use it. A 4.2 flaw paired with a weak lure may go nowhere. The same flaw inserted into a carefully researched interaction with an executive, administrator, finance employee, or help-desk operator could become more consequential.
The vector assigns no confidentiality impact because the vulnerability itself is not described as directly reading protected information. That does not prove credentials could never be exposed after a victim is deceived. It means the scored technical outcome does not include direct confidentiality loss, and administrators should not rewrite the record into a stronger claim.
Similarly, the low integrity and availability ratings indicate limited technical effects according to CISA-ADP’s assessment. They do not mean that every downstream action taken by a deceived user would be trivial. Vulnerability scoring necessarily draws a boundary around the flaw; incident response must also consider what the attacker might persuade a user to do once that boundary has been visually blurred.
At the time represented by the NVD record, NIST had not supplied its own CVSS v4.0, v3.x, or v2.0 assessment. The available 4.2 score comes from CISA-ADP, while Chromium independently labels the security severity Medium. Those classifications align broadly, but neither should be misrepresented as a final NVD score.
That distinction matters for vulnerability-management systems that ingest multiple data providers. A dashboard may show the CISA-ADP score, display no NVD score, or temporarily present the entry as still undergoing enrichment. Administrators should confirm which authority produced the number rather than interpreting an empty NVD field as evidence that the vulnerability has no measurable severity.

One Version Boundary Separates Exposure From Remediation​

The affected-version statement is unusually clear: Google Chrome on iOS versions prior to 150.0.7871.47 are affected. The supplied configuration uses a custom version comparison with 150.0.7871.47 as the exclusive upper boundary of the vulnerable range.
Chrome on iOS stateVersion conditionRecorded statusSecurity reading
Vulnerable installationEarlier than 150.0.7871.47AffectedUpdate is required
Remediation boundary150.0.7871.47Outside the stated affected rangeMinimum version to verify
Later installationNewer than 150.0.7871.47Outside the stated affected rangeRetain through normal update compliance
The distinction between “fixed version” and “outside the affected range” can sound academic, but it prevents administrators from overstating what the record says. The NVD configuration marks versions up to, but excluding, 150.0.7871.47 as vulnerable. It does not provide a separate prose statement describing every later build.
Operationally, the appropriate minimum is still straightforward. Devices running an earlier Chrome for iOS build should be brought to 150.0.7871.47 or later, and compliance tools should compare the complete four-part version rather than relying on the major version alone.
A fleet report that says only “Chrome 150” is insufficient. Depending on how an inventory product normalizes application versions, two installations may share the same major version while falling on opposite sides of the security boundary. Administrators need the full reported version string from the installed iOS application.
The version test should also be applied to the affected product, not every Chromium-branded or Chromium-derived package found in an asset database. The canonical description is specific to Google Chrome on iOS. A generic scanner that maps the CVE to unrelated desktop or Linux Chromium packages may produce noise unless its product and platform logic preserves that scope.

NIST’s Platform Logic Prevents a Desktop False Alarm​

NIST’s initial analysis added a compound CPE configuration connecting the Google Chrome application condition with Apple iPhone OS. That relationship is expressed as an AND: the vulnerable Chrome version condition and the Apple mobile operating-system context belong together.
This is one of the most operationally useful parts of the NVD enrichment. It tells scanners and administrators that the presence of a Chrome version number alone is not enough. The application must be considered in the iPhone OS environment described by the configuration.
The implication for Windows estates is direct. A Windows endpoint running Chrome should not be marked vulnerable to CVE-2026-13907 merely because a simplistic rule notices that its version appears numerically below 150.0.7871.47. The affected product record and the iOSWeb description make this a Chrome-on-iOS issue, while the CPE logic supplies the platform guardrail.
That does not make the vulnerability irrelevant to Windows-focused administrators. Microsoft-oriented organizations routinely manage identities, email, collaboration tools, web applications, and conditional-access decisions that users reach from iPhones. The vulnerable endpoint may be mobile, but the account, application, and data placed at risk by deception can still belong to the Windows-centered enterprise.
The NVD reference metadata contains another possible source of confusion. The Chrome release-notes reference is tagged as release notes, yet the supplied address includes “stable-channel-update-for-desktop” in its path. That reference name must not be used to expand the affected scope to desktop Chrome when the CVE description, product record, and CPE relationship all identify Chrome on iOS.
This is precisely why vulnerability management cannot be reduced to matching identifiers against page titles. References may be broad release posts containing multiple fixes, and URL naming may reflect the structure of a release announcement rather than the applicability of each individual CVE. The machine-readable product and platform conditions carry more weight for scoping this flaw.

The Public Record Leaves the Exploit Mechanics Behind a Locked Door​

The NVD record links to Chromium issue 505156685, but the reference is marked “Permissions Required.” That means the public can see the existence of the issue and its association with the CVE without necessarily seeing reproduction steps, patch discussion, affected UI states, or the original demonstration.
Restricted bug details are common when disclosure could hand attackers a ready-made roadmap before enough users have updated. They also force responsible reporting to stay close to the canonical description. The available evidence supports “UI spoofing through a crafted HTML page after specific gestures”; it does not support a detailed reconstruction of the exploit.
That has not stopped some secondary vulnerability pages from supplying more confident terminology. SentinelOne’s vulnerability database, for example, labels CVE-2026-13907 an XSS vulnerability. The canonical Chrome and NVD descriptions do not use that classification, and the assigned weakness is CWE-451 rather than a cross-site-scripting category.
The distinction is not editorial nitpicking. Cross-site scripting normally conveys expectations about script execution in an unintended origin or context, while UI spoofing concerns the presentation of misleading interface information. Those concepts can appear in the same attack chain, but the public record supplied for this CVE establishes only the latter.
Administrators should therefore avoid building detection logic around an assumed script-injection signature. There is no public evidence here that a conventional XSS scanner, content-security-policy alert, or web application firewall rule would identify the underlying browser behavior. The confirmed control is version remediation.
The locked issue also prevents a reliable judgment about how visually convincing the spoof can become. It may involve a narrow transition state, a temporary overlay, or some other interaction-dependent misrepresentation. Until Google releases more detail, screenshots and demonstrations attributed to this CVE should be treated cautiously unless they can be tied back to the authorized Chromium record.

The Disclosure Record Shows Rapid Enrichment, Not Active Exploitation​

The chronology is short but instructive. Chrome supplied the initial CVE data, CISA-ADP added scoring and prioritization information, and NIST then added platform applicability and reference classifications.

Timeline​

June 30, 2026, 7:17:04 PM: NVD recorded receipt of the new CVE from Chrome, including the description, affected-version boundary, release-notes reference, and restricted Chromium issue.
June 30, 2026, 10:16:51 PM: CISA-ADP modified the record with the CVSS v3.1 vector, CWE-451 classification, and SSVC assessment.
July 1, 2026, 1:52:55.540435 AM UTC: The SSVC data was timestamped with exploitation set to none, automation set to no, and technical impact set to partial.
July 1, 2026, 3:45:48 PM: NIST’s initial analysis added the Chrome and Apple iPhone OS CPE relationship and classified the two references.
The NVD quick information lists June 30, 2026, as the publication date and July 1, 2026, as the last-modified date. That sequence does not show a vulnerability escalating overnight; it shows the normal layering of vendor, CISA-ADP, and NIST data around a newly published record.
The SSVC “exploitation: none” value deserves equally careful reading. It reports the exploitation assessment captured in that record at that timestamp. It is not a permanent guarantee, and it should not be transformed into the broader claim that exploitation is impossible or that no security researcher has ever exercised the flaw.
“Automatable: no” is also meaningful but limited. The attack reportedly requires specific user gestures, making large-scale unattended exploitation less practical. Attackers can still automate delivery, page generation, targeting, and follow-up while leaving the victim to perform the required interaction.
The record therefore supports a measured response: patch promptly, verify the affected population, and watch for new vendor information. It does not support emergency claims about active mass exploitation, nor does it justify leaving vulnerable builds in service simply because the current SSVC entry is comparatively reassuring.

Mobile Application Inventories Are Often the Weak Link​

Enterprise browser maintenance is usually strongest on Windows desktops, where software inventory, patch rings, configuration policy, and endpoint telemetry are mature. Mobile browsers can fall between teams: the endpoint group owns laptops, the mobility group owns managed devices, identity owns access policies, and security operations sees only fragments of application data.
CVE-2026-13907 exposes that organizational seam. The remediation is simple only if the administrator can answer three questions: which users have Chrome installed on iOS, which exact versions are running, and whether application updates are being successfully applied.
Fully managed devices should be the easiest population to assess, assuming the mobile-device or application-management platform reports installed application versions. The harder cases are personally owned devices permitted to access organizational services, devices enrolled with limited visibility, and users who install alternative browsers outside a centrally assigned application catalog.
A policy stating that automatic application updates are enabled is not the same as evidence that every installation has crossed the required version boundary. Updates can be delayed by device state, connectivity, store behavior, user settings, or inventory-reporting lag. The verification step matters more than the intended setting.
Organizations should also resist the temptation to handle the flaw only through a generic awareness message. Telling users not to trust suspicious pages is useful, but it does not correct the browser implementation. The fact that exploitation requires persuasion makes user education relevant; it does not turn education into a substitute for the update.

Action checklist for admins​

  • Inventory Google Chrome installations specifically on managed and enrolled iOS devices.
  • Verify the complete application version and identify every installation earlier than 150.0.7871.47.
  • Push or require the current Chrome for iOS update through the organization’s mobile-management process.
  • Recheck device inventory after the deployment window instead of assuming automatic updates completed.
  • Review personally owned device access where application-version visibility or update enforcement is unavailable.
  • Remind users to stop and reopen suspicious workflows rather than following unusual instructions involving repeated taps or gestures.
  • Ensure vulnerability scanners preserve the Apple iPhone OS condition and do not generate unsupported desktop Chrome findings.
The checklist is deliberately conservative. There is no need to disable Chrome across an iOS fleet if the application is updated and verified, and the current record does not establish that blocking HTML content, disabling a particular feature, or changing a browser setting mitigates the flaw.

UI Spoofing Sits Where Technical Controls Meet Human Habit​

Security interfaces work because users learn patterns. They recognize where a browser shows destinations, how prompts appear, what happens after navigation, and which visual elements seem to belong to the application rather than the webpage. UI spoofing attacks exploit the fact that those judgments are made quickly, often on a small screen.
Mobile devices increase the importance of those compressed judgments. A user may be moving between a message, a browser page, an authentication application, and an enterprise service while holding the device in one hand. The smaller display and gesture-driven workflow mean that navigation and confirmation are intertwined with taps and swipes.
CVE-2026-13907 reportedly depends on exactly that kind of interaction, although the restricted issue prevents a more detailed account. The attacker cannot simply impose the state; the user must help create it through specific gestures. That sounds like a weakness until one remembers how many mobile experiences already train users to follow onscreen movement instructions without questioning why.
The most plausible operational concern is not that every vulnerable browser will spontaneously show a false interface. It is that an adversary with a believable story could incorporate the required sequence into a page designed to make the victim feel that the browser, account provider, or organization is guiding the process.
This is why UI weaknesses deserve a different mental model from memory-safety bugs. A memory-corruption exploit attempts to make the machine execute something it should not. A spoofing exploit attempts to make the human authorize, trust, or continue something they otherwise would reject.
The machine may still be enforcing its underlying boundaries while the person is being shown an inaccurate representation of them. When that representation concerns critical information, as CWE-451 specifies, the user can become the mechanism by which the attacker crosses a boundary the software did not directly break.

Windows-Centered Security Teams Still Own the Consequences​

Windows administrators might reasonably ask why a Chrome-on-iOS vulnerability belongs in their operational queue. The answer is that enterprise boundaries no longer follow operating-system boundaries. An iPhone can be the front end for a Microsoft identity, a Windows-hosted application, a cloud-management console, a remote desktop session, or an internal web service.
The affected device may not run Windows, but the action taken through it can affect Windows resources. A deceived user could reportedly be led to trust the wrong visual state while accessing an organizational service, and the downstream incident would likely arrive in the identity, email, endpoint, or help-desk systems managed by a Windows-focused team.
That makes accurate scoping especially important. Security teams should neither dismiss the CVE as “an Apple problem” nor apply it indiscriminately to Windows Chrome installations. The correct response is to identify the iOS endpoint population and connect its browser-compliance status to the accounts and services those devices can reach.
This is also an argument for bringing mobile application versions into vulnerability-management dashboards rather than treating them as a separate administrative concern. If a security operations center can see Windows patch levels but not the browser version on a managed iPhone used by a privileged employee, its view of the attack surface is incomplete.
Organizations with fragmented ownership should assign a single accountable team for closure. Mobility may deploy the application update, security may define the deadline, identity may evaluate unmanaged-device exposure, and service-desk staff may handle user communication. Someone must still verify that vulnerable versions are gone.
The practical test is not whether a patch command was sent. It is whether the fleet can demonstrate that Chrome for iOS installations are no longer earlier than the documented boundary. Compliance is the observed version, not the intended policy.

Medium Severity Calls for Discipline Rather Than Drama​

There are two common ways to mishandle a vulnerability like this. The first is to inflate it into a critical mobile takeover, adding unsupported claims about credential theft, code execution, or confirmed phishing campaigns. The second is to ignore it because 4.2 appears low beside the critical vulnerabilities competing for attention.
The evidence supports neither response. CVE-2026-13907 requires user interaction, carries high attack complexity, is not considered automatable in the CISA-ADP assessment, and had no exploitation recorded in the supplied SSVC data. Those are meaningful constraints.
At the same time, the attacker needs no privileges, can deliver the crafted page remotely, and targets a class of weakness that can undermine user decision-making. Updating a browser application is ordinarily far less costly than accepting a known defect in the interface users depend on to judge whether online activity is safe.
Priority should reflect local exposure. An organization with few iOS Chrome users and complete application enforcement can close the issue quickly through routine maintenance. A company with a large personally owned device population, mobile access to sensitive services, and weak application-version visibility has a larger governance problem even if the intrinsic CVSS score remains unchanged.
Privileged users deserve particular attention, not because the CVE record identifies them as targets, but because the cost of successful deception rises with account authority. Administrators should use that business context to order verification while avoiding claims that the vulnerability itself grants privileges it does not possess.
The same restraint should govern incident hunting. Security teams can look for suspicious links, unusual authentication journeys, and reports of misleading mobile pages, but the public record does not supply a unique network indicator or confirmed exploit signature. Patch evidence is likely to be more reliable than speculative detection content.

What the Record Establishes—and What It Does Not​

The most useful reading of CVE-2026-13907 is compact: it is a platform-specific UI-spoofing vulnerability with a clear version cutoff, meaningful interaction requirements, limited assessed technical impact, and insufficient public detail to support elaborate exploit claims.
  • Chrome for iOS versions earlier than 150.0.7871.47 are in the affected range.
  • The recorded platform context combines Google Chrome with Apple iPhone OS.
  • Exploitation requires a crafted HTML page and specific user-interface gestures.
  • Chromium rates the vulnerability Medium; CISA-ADP assigns a 4.2 CVSS v3.1 score.
  • CISA-ADP recorded no exploitation, no automation, and partial technical impact at the stated SSVC timestamp.
  • NIST had not yet provided its own CVSS assessment in the supplied record.
Those facts are enough to drive remediation. They are not enough to declare that the bug is XSS, that credentials are directly exposed, that desktop Chrome is affected, or that active attacks are underway.
The correct security posture is therefore neither alarmist nor passive. Update the affected application, prove that the installed versions crossed the boundary, preserve the iOS platform condition in scanner logic, and treat any future technical detail from Google as a reason to refine—not invent—the threat model.
CVE-2026-13907 will probably be remembered less for its 4.2 score than for the security boundary it exposes: the small visual gap between what a browser is doing and what a user believes it is doing. As mobile access becomes inseparable from enterprise identity and Windows administration, closing that gap will require more than automatic updates; it will require inventories that can see mobile applications, ownership that crosses platform silos, and security reporting disciplined enough to distinguish confirmed behavior from a convincing story about it.

References​

  1. Primary source: NVD / Chromium
    Published: 2026-07-11T15:40:20-07:00
  2. Security advisory: MSRC
    Published: 2026-07-11T15:40:20-07:00
    Original feed URL
  3. Related coverage: cvefeed.io
  4. Related coverage: security.snyk.io
 

Back
Top