Takeaway: CVE-2026-13944 affects Google Chrome on macOS only when the installed version is earlier than 150.0.7871.47. Update and relaunch Chrome now, then verify the complete running version. Open the Chrome menu (⋮) > Help > About Google Chrome, let Chrome check for and install the update, click Relaunch, and return to the About page to confirm that the displayed version is 150.0.7871.47 or later. The supplied CISA SSVC data records exploitation as none.
CVE-2026-13944 is described in the Chrome-originated vulnerability record as an inappropriate implementation in DataTransfer affecting Google Chrome on Mac before version 150.0.7871.47. According to that description, a remote attacker could use a crafted HTML page to leak cross-origin data after persuading the user to perform specific interface gestures.
The description establishes a security problem with clear limits. The attack can originate from web content, but loading a page alone is not described as sufficient. Exploitation requires the user to perform particular gestures, and the record does not disclose what those gestures are.
The documented result is a cross-origin data leak. It is not described as remote code execution, a sandbox escape, privilege escalation, malware installation, persistence, or complete control of the Mac. The supplied information also does not identify the exact data that could be exposed, the amount of data available, or the reliability of the technique.
Those limits should shape how the issue is communicated. CVE-2026-13944 should not be presented as a silent browser takeover, but neither should it be dismissed merely because interaction is required. The browser is expected to enforce boundaries between origins even while a user interacts with web content. The disclosed flaw concerns that browser-enforced separation.
Chromium assigned the vulnerability a Medium security severity. CISA’s Automated Data Processing enrichment assigned a CVSS 3.1 base score of 3.1, rated LOW. These labels come from separate assessment systems and should be reported with their sources intact rather than collapsed into a single unexplained severity.
The National Vulnerability Database displays the CISA-ADP contribution, but the supplied record does not include an NVD-authored CVSS assessment. Administrators importing the CVE into vulnerability-management systems should therefore distinguish the vendor’s Medium rating from CISA-ADP’s numerical LOW score and should not describe 3.1 as NVD’s own score.
CISA-ADP’s CVSS 3.1 vector reflects those conditions. It records a network attack vector, high attack complexity, no privileges required, and required user interaction. The scored effect is limited to confidentiality, with low confidentiality impact and no recorded integrity or availability impact.
The interaction and complexity requirements are meaningful mitigations. They reduce the apparent ease with which the flaw could be exploited at scale and help explain CISA-ADP’s LOW numerical rating. The absence of integrity and availability impact in the vector also separates this issue from vulnerabilities described as modifying data, disrupting service, or taking control of a system.
The supplied record does not explain the required gestures, how conspicuous they would appear, or what conditions must exist for them to produce a useful result. It would therefore be speculative to invent a demonstration, social-engineering scenario, affected DataTransfer method, or detailed exploitation workflow.
The associated Chromium issue reference requires permission. That fact establishes only that the issue is access-restricted. It does not establish why access is restricted, what details the issue contains, or whether the restriction is connected to the timing of user updates.
CISA’s SSVC data adds useful restraint. The assessment records exploitation as “none,” automatable as “no,” and technical impact as “partial.” Those entries support a measured response: update promptly, but do not claim that exploitation has been observed or that every affected Mac should be treated as compromised.
“Exploitation: none” is a status in the supplied assessment, not a promise about all activity everywhere or a guarantee that the status cannot change. Administrators should preserve the exact attribution and avoid translating it into either alarmist claims or permanent reassurance.
The supplied material does not establish:
The weakness is nevertheless significant enough to warrant remediation because the affected-version boundary is explicit and a corrected version is available. Administrators do not need complete implementation details to determine whether a Mac remains in scope. They need the product, operating system, and complete running version.
The platform scope is specific. The affected configuration supplied for this CVE associates the vulnerable Chrome range with macOS. Windows, Linux, ChromeOS, Android, and iOS are not listed as affected by this particular record.
That does not mean Chrome on other platforms should remain outdated. It means the scope of CVE-2026-13944 should not be expanded beyond the documented macOS configuration. Other platforms and Chromium-derived products must be evaluated through their own applicable security information.
A mixed operating-system fleet can therefore target this CVE’s compliance check at Macs running Google Chrome. The test is straightforward:
The Chrome-originated description for this CVE instead emphasizes an inappropriate DataTransfer implementation and cross-origin data leakage after specific UI gestures. The CWE mapping should therefore be preserved as the assigned taxonomy while the concrete vulnerability description remains the primary guide to scope and remediation.
The supplied record does not establish that an internal web application is missing an anti-forgery token or that a particular website, service, or framework must be modified. The documented affected product is Google Chrome on macOS before the fixed-version threshold.
Application-side CSRF controls should not be presented as a substitute for updating the browser. Nor should administrators infer that changing a website’s headers, disabling a browser feature, blocking a particular script pattern, or adjusting an unrelated macOS setting removes the vulnerable path. No equivalent workaround is established in the supplied information.
The reliable remediation is version based: update Google Chrome on Mac to 150.0.7871.47 or a later supported release, relaunch it, and verify the version that is actually running.
Chromium’s Medium rating is the product vendor’s security classification. CISA-ADP’s 3.1 LOW result is a standardized CVSS 3.1 calculation based on the vector included in the supplied record. The two should be displayed side by side with clear attribution.
There is no need to claim that one rating overrides the other or to invent an explanation based on severity guidance not included in the permitted material. The record supports the narrower observation that the assessments use different labels and that the CISA-ADP vector includes substantial mitigating conditions.
Those mitigating conditions are visible in the vector itself:
If the Mac is running Google Chrome earlier than 150.0.7871.47, it remains within the documented affected range. If Chrome is running 150.0.7871.47 or later after relaunch, it has crossed the published fix boundary.
The lack of an NVD-authored CVSS score is also important for reporting accuracy. A security console may import NVD data and display the CISA-ADP score without making the contributor obvious. Internal advisories should identify the 3.1 LOW score as CISA-ADP’s assessment rather than calling it an NVD rating.
Teams should use the ratings to communicate context, not to postpone a low-cost browser update. No exploit-development judgment or speculative data-loss scenario is needed to justify moving an affected installation to the corrected version.
CISA-ADP enrichment: CISA-ADP contributed the CVSS 3.1 vector and 3.1 LOW base score. It also supplied the CWE-352 mapping.
CISA SSVC assessment: The supplied SSVC data recorded exploitation as none, automatable as no, and technical impact as partial.
NIST/NVD configuration enrichment: The affected configuration identifies Google Chrome versions below 150.0.7871.47 in association with macOS. The supplied record does not include an NVD-authored CVSS 4.0, 3.x, or 2.0 assessment.
Current operational threshold: Google Chrome on macOS before 150.0.7871.47 is affected. Version 150.0.7871.47 or later is the remediation boundary established by the supplied information.
This staged record explains why vulnerability tools can show several organizations beside one CVE. The vendor description, contributed CVSS score, SSVC decision data, CWE classification, product normalization, and platform configuration are not necessarily authored by one party.
Administrators should retain that provenance when moving the record into internal ticketing or risk systems. In particular:
Users should not stop after confirming only the major release. “Version 150” is incomplete evidence because affected and corrected builds can share that major number. The success condition is the complete displayed version: 150.0.7871.47 or later.
Managed environments should apply the same test at fleet scale. Inventory and deployment systems can help deliver the update, but a deployment job marked successful is not necessarily the same as current evidence from the active installation. Systems with old, missing, or partial inventory data should remain unresolved until their running version is confirmed.
Administrators should not claim that a particular browser event, log entry, script pattern, domain category, or endpoint alert reliably detects this vulnerability. Generic security evidence may still matter in an independently suspicious incident, but the CVE record itself does not establish a specialized detection method.
The clearest control is removal of the affected version. A Mac below 150.0.7871.47 requires remediation; a Mac verified at 150.0.7871.47 or later has crossed the documented threshold.
If separate evidence suggests malicious activity, organizations should follow their established incident-response procedures. Exposure to this CVE alone, however, is not evidence that exploitation occurred. That distinction aligns with the supplied SSVC status, which records exploitation as none.
It does not establish the exact leaked data, public exploitation, code execution, system compromise, or an exploit-specific detection method. Its attack conditions include high complexity and required user interaction, and CISA-ADP’s CVSS 3.1 assessment is 3.1 LOW. Chromium’s own product-security rating is Medium. NVD has not supplied its own CVSS assessment in the provided material.
For end users, the answer is immediate: open Chrome menu (⋮) > Help > About Google Chrome, let Chrome update, click Relaunch, and confirm that the displayed version is 150.0.7871.47 or later.
For administrators, the response is measurable: identify Google Chrome installations on managed Macs, compare their complete running versions with 150.0.7871.47, use the established managed update process, and retain current evidence that each in-scope installation crossed the boundary.
Future authoritative information could change the exploitation assessment or expand the product guidance. Until then, the defensible conclusion remains precise: Google Chrome on macOS before 150.0.7871.47 is affected; 150.0.7871.47 or later is the fix boundary; and the supplied SSVC data records no exploitation.
Chrome’s Fix Closes a Narrow but Important Data Boundary
CVE-2026-13944 is described in the Chrome-originated vulnerability record as an inappropriate implementation in DataTransfer affecting Google Chrome on Mac before version 150.0.7871.47. According to that description, a remote attacker could use a crafted HTML page to leak cross-origin data after persuading the user to perform specific interface gestures.The description establishes a security problem with clear limits. The attack can originate from web content, but loading a page alone is not described as sufficient. Exploitation requires the user to perform particular gestures, and the record does not disclose what those gestures are.
The documented result is a cross-origin data leak. It is not described as remote code execution, a sandbox escape, privilege escalation, malware installation, persistence, or complete control of the Mac. The supplied information also does not identify the exact data that could be exposed, the amount of data available, or the reliability of the technique.
Those limits should shape how the issue is communicated. CVE-2026-13944 should not be presented as a silent browser takeover, but neither should it be dismissed merely because interaction is required. The browser is expected to enforce boundaries between origins even while a user interacts with web content. The disclosed flaw concerns that browser-enforced separation.
Chromium assigned the vulnerability a Medium security severity. CISA’s Automated Data Processing enrichment assigned a CVSS 3.1 base score of 3.1, rated LOW. These labels come from separate assessment systems and should be reported with their sources intact rather than collapsed into a single unexplained severity.
The National Vulnerability Database displays the CISA-ADP contribution, but the supplied record does not include an NVD-authored CVSS assessment. Administrators importing the CVE into vulnerability-management systems should therefore distinguish the vendor’s Medium rating from CISA-ADP’s numerical LOW score and should not describe 3.1 as NVD’s own score.
Interaction Requirements Reduce Exposure Without Removing It
The phrase “specific UI gestures” is central to the disclosed attack conditions. It indicates that the crafted page does not obtain the cross-origin information solely through an invisible background operation. The victim must participate in an interface sequence after reaching the attacker-controlled content.CISA-ADP’s CVSS 3.1 vector reflects those conditions. It records a network attack vector, high attack complexity, no privileges required, and required user interaction. The scored effect is limited to confidentiality, with low confidentiality impact and no recorded integrity or availability impact.
| Assessment layer | Rating or status | Exploit condition | Recorded impact | Operational reading |
|---|---|---|---|---|
| Chromium security severity | Medium | Crafted HTML page plus specific UI gestures | Cross-origin data leakage | Vendor-rated browser security flaw with meaningful mitigating conditions |
| CISA-ADP CVSS 3.1 | 3.1, LOW | Network reachable, high complexity, no privileges, user interaction required | Low confidentiality impact; no integrity or availability impact | Limited and difficult as a stand-alone attack under the supplied vector |
| CISA SSVC | Exploitation: none; Automatable: no; Technical impact: partial | User-assisted attack not assessed as automatable | Partial technical impact | No recorded exploitation in the supplied assessment |
| NVD CVSS 4.0 | Not supplied by NVD | Not independently assessed by NVD | Not independently assessed by NVD | Do not substitute another contributor’s score for an NVD-authored score |
| NVD CVSS 3.x | Not supplied by NVD | Not independently assessed by NVD | Not independently assessed by NVD | The visible 3.1 score is attributed to CISA-ADP |
| NVD CVSS 2.0 | Not supplied by NVD | Not independently assessed by NVD | Not independently assessed by NVD | No legacy NVD score is established by the supplied record |
The supplied record does not explain the required gestures, how conspicuous they would appear, or what conditions must exist for them to produce a useful result. It would therefore be speculative to invent a demonstration, social-engineering scenario, affected DataTransfer method, or detailed exploitation workflow.
The associated Chromium issue reference requires permission. That fact establishes only that the issue is access-restricted. It does not establish why access is restricted, what details the issue contains, or whether the restriction is connected to the timing of user updates.
CISA’s SSVC data adds useful restraint. The assessment records exploitation as “none,” automatable as “no,” and technical impact as “partial.” Those entries support a measured response: update promptly, but do not claim that exploitation has been observed or that every affected Mac should be treated as compromised.
“Exploitation: none” is a status in the supplied assessment, not a promise about all activity everywhere or a guarantee that the status cannot change. Administrators should preserve the exact attribution and avoid translating it into either alarmist claims or permanent reassurance.
The Public Description Supports a Limited Technical Conclusion
The defensible technical description of CVE-2026-13944 is concise. Google Chrome on Mac contained an inappropriate DataTransfer implementation that could allow a remote attacker to leak cross-origin data through a crafted HTML page after inducing specific UI gestures.The supplied material does not establish:
- The exact browser operations or DataTransfer methods involved.
- The precise sequence of gestures required.
- The type, quantity, or sensitivity of the data that could be leaked.
- Access to clipboard contents, local files, authentication tokens, or any other specific data category.
- A failure in a named macOS protection or platform adapter.
- Code execution, sandbox escape, privilege escalation, persistence, or system compromise.
- A reliable exploit signature or public reproduction procedure.
- Exploitation against real users.
The weakness is nevertheless significant enough to warrant remediation because the affected-version boundary is explicit and a corrected version is available. Administrators do not need complete implementation details to determine whether a Mac remains in scope. They need the product, operating system, and complete running version.
The platform scope is specific. The affected configuration supplied for this CVE associates the vulnerable Chrome range with macOS. Windows, Linux, ChromeOS, Android, and iOS are not listed as affected by this particular record.
That does not mean Chrome on other platforms should remain outdated. It means the scope of CVE-2026-13944 should not be expanded beyond the documented macOS configuration. Other platforms and Chromium-derived products must be evaluated through their own applicable security information.
A mixed operating-system fleet can therefore target this CVE’s compliance check at Macs running Google Chrome. The test is straightforward:
- A complete Chrome version earlier than 150.0.7871.47 is inside the affected range.
- Chrome 150.0.7871.47 or later is outside the stated affected range.
- A missing, stale, incomplete, or major-version-only inventory result is not enough to establish compliance.
The CWE Label Does Not Replace the Concrete Description
CISA-ADP mapped CVE-2026-13944 to CWE-352, Cross-Site Request Forgery. Administrators may associate that name with server-side application flaws in which a browser is induced to send an unwanted authenticated request.The Chrome-originated description for this CVE instead emphasizes an inappropriate DataTransfer implementation and cross-origin data leakage after specific UI gestures. The CWE mapping should therefore be preserved as the assigned taxonomy while the concrete vulnerability description remains the primary guide to scope and remediation.
The supplied record does not establish that an internal web application is missing an anti-forgery token or that a particular website, service, or framework must be modified. The documented affected product is Google Chrome on macOS before the fixed-version threshold.
Application-side CSRF controls should not be presented as a substitute for updating the browser. Nor should administrators infer that changing a website’s headers, disabling a browser feature, blocking a particular script pattern, or adjusting an unrelated macOS setting removes the vulnerable path. No equivalent workaround is established in the supplied information.
The reliable remediation is version based: update Google Chrome on Mac to 150.0.7871.47 or a later supported release, relaunch it, and verify the version that is actually running.
The Scores Explain Context, but the Version Decides Exposure
The vendor and CISA-ADP ratings provide different forms of context.Chromium’s Medium rating is the product vendor’s security classification. CISA-ADP’s 3.1 LOW result is a standardized CVSS 3.1 calculation based on the vector included in the supplied record. The two should be displayed side by side with clear attribution.
There is no need to claim that one rating overrides the other or to invent an explanation based on severity guidance not included in the permitted material. The record supports the narrower observation that the assessments use different labels and that the CISA-ADP vector includes substantial mitigating conditions.
Those mitigating conditions are visible in the vector itself:
- The attack is network reachable.
- The attack complexity is high.
- The attacker requires no prior privileges.
- User interaction is required.
- The recorded effect is limited to low confidentiality impact.
- No integrity impact is recorded.
- No availability impact is recorded.
If the Mac is running Google Chrome earlier than 150.0.7871.47, it remains within the documented affected range. If Chrome is running 150.0.7871.47 or later after relaunch, it has crossed the published fix boundary.
The lack of an NVD-authored CVSS score is also important for reporting accuracy. A security console may import NVD data and display the CISA-ADP score without making the contributor obvious. Internal advisories should identify the 3.1 LOW score as CISA-ADP’s assessment rather than calling it an NVD rating.
Teams should use the ratings to communicate context, not to postpone a low-cost browser update. No exploit-development judgment or speculative data-loss scenario is needed to justify moving an affected installation to the corrected version.
The Disclosure Record Was Enriched in Stages
The supplied vulnerability information reflects contributions from more than one organization. The available record establishes a sequence of vendor disclosure and later enrichment, but it does not support assigning every data element to a particular unverified calendar date.Timeline
Chrome-originated record: Chrome supplied the description of an inappropriate implementation in DataTransfer, the Mac scope, the crafted-HTML and specific-gesture conditions, the cross-origin leakage impact, the Medium vendor severity, and associated references.CISA-ADP enrichment: CISA-ADP contributed the CVSS 3.1 vector and 3.1 LOW base score. It also supplied the CWE-352 mapping.
CISA SSVC assessment: The supplied SSVC data recorded exploitation as none, automatable as no, and technical impact as partial.
NIST/NVD configuration enrichment: The affected configuration identifies Google Chrome versions below 150.0.7871.47 in association with macOS. The supplied record does not include an NVD-authored CVSS 4.0, 3.x, or 2.0 assessment.
Current operational threshold: Google Chrome on macOS before 150.0.7871.47 is affected. Version 150.0.7871.47 or later is the remediation boundary established by the supplied information.
This staged record explains why vulnerability tools can show several organizations beside one CVE. The vendor description, contributed CVSS score, SSVC decision data, CWE classification, product normalization, and platform configuration are not necessarily authored by one party.
Administrators should retain that provenance when moving the record into internal ticketing or risk systems. In particular:
- Label Medium as Chromium’s severity.
- Label 3.1 LOW as CISA-ADP’s CVSS 3.1 assessment.
- Label the SSVC exploitation status as the supplied CISA assessment.
- Do not call the contributed 3.1 score an NVD-authored score.
- Use the normalized macOS configuration and fixed-version boundary to identify affected installations.
- Avoid publishing precise disclosure or modification dates unless those dates have been separately verified from the underlying change-history entries.
Mac Fleets Need a Verified Version Audit
For individual users, the remediation procedure is exact:- Open Google Chrome on the Mac.
- Select the three-dot Chrome menu (⋮).
- Select Help.
- Select About Google Chrome.
- Let Chrome check for and install the available update.
- Click Relaunch when the button appears.
- After Chrome reopens, return to ⋮ > Help > About Google Chrome.
- Confirm that the displayed version is 150.0.7871.47 or later.
Users should not stop after confirming only the major release. “Version 150” is incomplete evidence because affected and corrected builds can share that major number. The success condition is the complete displayed version: 150.0.7871.47 or later.
Managed environments should apply the same test at fleet scale. Inventory and deployment systems can help deliver the update, but a deployment job marked successful is not necessarily the same as current evidence from the active installation. Systems with old, missing, or partial inventory data should remain unresolved until their running version is confirmed.
Action checklist for administrators
Immediate remediation
- Inventory Google Chrome installations across managed Macs.
- Identify every complete version earlier than 150.0.7871.47.
- Deploy Chrome 150.0.7871.47 or a later supported release through the organization’s established update process.
- Instruct users to open ⋮ > Help > About Google Chrome, let the update complete, and click Relaunch.
- Verify the complete displayed version after Chrome restarts.
- Treat missing, stale, or major-version-only results as unresolved.
Scope validation
- Confirm that inventory records refer specifically to Google Chrome on macOS.
- Do not apply this CVE’s macOS configuration to Windows or Linux without separate authoritative information.
- Do not assume that updating Microsoft Edge, another Chromium-derived browser, or macOS itself updates Google Chrome.
- Check other browsers against their vendors’ own affected-version and fixed-version information.
- Distinguish production Chrome installations from beta, development, test, or specially packaged builds.
Risk communication
- Describe the issue as a user-assisted cross-origin data leak through crafted HTML.
- State that Chromium rated it Medium and CISA-ADP scored it 3.1 LOW.
- State that the supplied SSVC assessment records exploitation as none.
- Do not claim that credentials, tokens, files, clipboard contents, or other named data types were exposed.
- Do not claim code execution, sandbox escape, malware installation, or control of the Mac.
- Do not treat the presence of an affected version as proof of compromise.
- Avoid inventing the gestures, lure, exploit workflow, or technical implementation details.
Compliance reporting
- Record all four components of the installed Chrome version.
- Separate confirmed remediation from pending, offline, stale, or unknown status.
- Recheck devices that remain below 150.0.7871.47.
- Retain current version evidence using the organization’s normal management and audit process.
- Keep the source of each severity field visible in internal reports.
- Reassess the entry if authoritative sources later change the affected range or exploitation status.
That message avoids both understatement and unsupported alarm. It tells users what is affected, what to do, and how to confirm success.Google has fixed a Chrome security vulnerability affecting Mac versions earlier than 150.0.7871.47. Open Chrome and select ⋮ > Help > About Google Chrome. Let the update install, click Relaunch, and confirm that the displayed version is 150.0.7871.47 or later.
Detection Should Not Replace Version Remediation
The supplied record does not provide a public exploit signature, exact gesture sequence, affected method list, or reproducible network pattern. It therefore does not support detailed telemetry or detection recommendations tailored specifically to successful exploitation of CVE-2026-13944.Administrators should not claim that a particular browser event, log entry, script pattern, domain category, or endpoint alert reliably detects this vulnerability. Generic security evidence may still matter in an independently suspicious incident, but the CVE record itself does not establish a specialized detection method.
The clearest control is removal of the affected version. A Mac below 150.0.7871.47 requires remediation; a Mac verified at 150.0.7871.47 or later has crossed the documented threshold.
If separate evidence suggests malicious activity, organizations should follow their established incident-response procedures. Exposure to this CVE alone, however, is not evidence that exploitation occurred. That distinction aligns with the supplied SSVC status, which records exploitation as none.
The Practical Decision Is Simple
CVE-2026-13944 is narrower than a browser takeover and more concrete than a theoretical concern. The supplied record establishes an inappropriate DataTransfer implementation in Google Chrome on Mac that could allow cross-origin data leakage from crafted HTML after specific user gestures.It does not establish the exact leaked data, public exploitation, code execution, system compromise, or an exploit-specific detection method. Its attack conditions include high complexity and required user interaction, and CISA-ADP’s CVSS 3.1 assessment is 3.1 LOW. Chromium’s own product-security rating is Medium. NVD has not supplied its own CVSS assessment in the provided material.
For end users, the answer is immediate: open Chrome menu (⋮) > Help > About Google Chrome, let Chrome update, click Relaunch, and confirm that the displayed version is 150.0.7871.47 or later.
For administrators, the response is measurable: identify Google Chrome installations on managed Macs, compare their complete running versions with 150.0.7871.47, use the established managed update process, and retain current evidence that each in-scope installation crossed the boundary.
Future authoritative information could change the exploitation assessment or expand the product guidance. Until then, the defensible conclusion remains precise: Google Chrome on macOS before 150.0.7871.47 is affected; 150.0.7871.47 or later is the fix boundary; and the supplied SSVC data records no exploitation.
References
- Primary source: NVD / Chromium
Published: 2026-07-11T15:39:42-07:00
Loading…
nvd.nist.gov - Security advisory: MSRC
Published: 2026-07-11T15:39:42-07:00
Original feed URL
Loading…
msrc.microsoft.com - Official source: developer.mozilla.org
Loading…
developer.mozilla.org - Related coverage: chromium.org
Loading…
www.chromium.org