CVE-2026-13944: Update Chrome for Mac to 150.0.7871.47

Takeaway: CVE-2026-13944 affects Google Chrome on macOS only when the installed version is earlier than 150.0.7871.47. Update and relaunch Chrome now, then verify the complete running version. Open the Chrome menu (⋮) > Help > About Google Chrome, let Chrome check for and install the update, click Relaunch, and return to the About page to confirm that the displayed version is 150.0.7871.47 or later. The supplied CISA SSVC data records exploitation as none.

Laptop showing Chrome settings beside an infographic about same-origin policy blocking cross-origin access.Chrome’s Fix Closes a Narrow but Important Data Boundary​

CVE-2026-13944 is described in the Chrome-originated vulnerability record as an inappropriate implementation in DataTransfer affecting Google Chrome on Mac before version 150.0.7871.47. According to that description, a remote attacker could use a crafted HTML page to leak cross-origin data after persuading the user to perform specific interface gestures.
The description establishes a security problem with clear limits. The attack can originate from web content, but loading a page alone is not described as sufficient. Exploitation requires the user to perform particular gestures, and the record does not disclose what those gestures are.
The documented result is a cross-origin data leak. It is not described as remote code execution, a sandbox escape, privilege escalation, malware installation, persistence, or complete control of the Mac. The supplied information also does not identify the exact data that could be exposed, the amount of data available, or the reliability of the technique.
Those limits should shape how the issue is communicated. CVE-2026-13944 should not be presented as a silent browser takeover, but neither should it be dismissed merely because interaction is required. The browser is expected to enforce boundaries between origins even while a user interacts with web content. The disclosed flaw concerns that browser-enforced separation.
Chromium assigned the vulnerability a Medium security severity. CISA’s Automated Data Processing enrichment assigned a CVSS 3.1 base score of 3.1, rated LOW. These labels come from separate assessment systems and should be reported with their sources intact rather than collapsed into a single unexplained severity.
The National Vulnerability Database displays the CISA-ADP contribution, but the supplied record does not include an NVD-authored CVSS assessment. Administrators importing the CVE into vulnerability-management systems should therefore distinguish the vendor’s Medium rating from CISA-ADP’s numerical LOW score and should not describe 3.1 as NVD’s own score.

Interaction Requirements Reduce Exposure Without Removing It​

The phrase “specific UI gestures” is central to the disclosed attack conditions. It indicates that the crafted page does not obtain the cross-origin information solely through an invisible background operation. The victim must participate in an interface sequence after reaching the attacker-controlled content.
CISA-ADP’s CVSS 3.1 vector reflects those conditions. It records a network attack vector, high attack complexity, no privileges required, and required user interaction. The scored effect is limited to confidentiality, with low confidentiality impact and no recorded integrity or availability impact.
Assessment layerRating or statusExploit conditionRecorded impactOperational reading
Chromium security severityMediumCrafted HTML page plus specific UI gesturesCross-origin data leakageVendor-rated browser security flaw with meaningful mitigating conditions
CISA-ADP CVSS 3.13.1, LOWNetwork reachable, high complexity, no privileges, user interaction requiredLow confidentiality impact; no integrity or availability impactLimited and difficult as a stand-alone attack under the supplied vector
CISA SSVCExploitation: none; Automatable: no; Technical impact: partialUser-assisted attack not assessed as automatablePartial technical impactNo recorded exploitation in the supplied assessment
NVD CVSS 4.0Not supplied by NVDNot independently assessed by NVDNot independently assessed by NVDDo not substitute another contributor’s score for an NVD-authored score
NVD CVSS 3.xNot supplied by NVDNot independently assessed by NVDNot independently assessed by NVDThe visible 3.1 score is attributed to CISA-ADP
NVD CVSS 2.0Not supplied by NVDNot independently assessed by NVDNot independently assessed by NVDNo legacy NVD score is established by the supplied record
The interaction and complexity requirements are meaningful mitigations. They reduce the apparent ease with which the flaw could be exploited at scale and help explain CISA-ADP’s LOW numerical rating. The absence of integrity and availability impact in the vector also separates this issue from vulnerabilities described as modifying data, disrupting service, or taking control of a system.
The supplied record does not explain the required gestures, how conspicuous they would appear, or what conditions must exist for them to produce a useful result. It would therefore be speculative to invent a demonstration, social-engineering scenario, affected DataTransfer method, or detailed exploitation workflow.
The associated Chromium issue reference requires permission. That fact establishes only that the issue is access-restricted. It does not establish why access is restricted, what details the issue contains, or whether the restriction is connected to the timing of user updates.
CISA’s SSVC data adds useful restraint. The assessment records exploitation as “none,” automatable as “no,” and technical impact as “partial.” Those entries support a measured response: update promptly, but do not claim that exploitation has been observed or that every affected Mac should be treated as compromised.
“Exploitation: none” is a status in the supplied assessment, not a promise about all activity everywhere or a guarantee that the status cannot change. Administrators should preserve the exact attribution and avoid translating it into either alarmist claims or permanent reassurance.

The Public Description Supports a Limited Technical Conclusion​

The defensible technical description of CVE-2026-13944 is concise. Google Chrome on Mac contained an inappropriate DataTransfer implementation that could allow a remote attacker to leak cross-origin data through a crafted HTML page after inducing specific UI gestures.
The supplied material does not establish:
  • The exact browser operations or DataTransfer methods involved.
  • The precise sequence of gestures required.
  • The type, quantity, or sensitivity of the data that could be leaked.
  • Access to clipboard contents, local files, authentication tokens, or any other specific data category.
  • A failure in a named macOS protection or platform adapter.
  • Code execution, sandbox escape, privilege escalation, persistence, or system compromise.
  • A reliable exploit signature or public reproduction procedure.
  • Exploitation against real users.
Keeping those distinctions visible prevents a narrow browser vulnerability from being expanded into a broader attack story that the record does not support.
The weakness is nevertheless significant enough to warrant remediation because the affected-version boundary is explicit and a corrected version is available. Administrators do not need complete implementation details to determine whether a Mac remains in scope. They need the product, operating system, and complete running version.
The platform scope is specific. The affected configuration supplied for this CVE associates the vulnerable Chrome range with macOS. Windows, Linux, ChromeOS, Android, and iOS are not listed as affected by this particular record.
That does not mean Chrome on other platforms should remain outdated. It means the scope of CVE-2026-13944 should not be expanded beyond the documented macOS configuration. Other platforms and Chromium-derived products must be evaluated through their own applicable security information.
A mixed operating-system fleet can therefore target this CVE’s compliance check at Macs running Google Chrome. The test is straightforward:
  • A complete Chrome version earlier than 150.0.7871.47 is inside the affected range.
  • Chrome 150.0.7871.47 or later is outside the stated affected range.
  • A missing, stale, incomplete, or major-version-only inventory result is not enough to establish compliance.
The complete four-part version matters. A report that says only “Chrome 150” cannot show whether the browser is below, equal to, or above 150.0.7871.47.

The CWE Label Does Not Replace the Concrete Description​

CISA-ADP mapped CVE-2026-13944 to CWE-352, Cross-Site Request Forgery. Administrators may associate that name with server-side application flaws in which a browser is induced to send an unwanted authenticated request.
The Chrome-originated description for this CVE instead emphasizes an inappropriate DataTransfer implementation and cross-origin data leakage after specific UI gestures. The CWE mapping should therefore be preserved as the assigned taxonomy while the concrete vulnerability description remains the primary guide to scope and remediation.
The supplied record does not establish that an internal web application is missing an anti-forgery token or that a particular website, service, or framework must be modified. The documented affected product is Google Chrome on macOS before the fixed-version threshold.
Application-side CSRF controls should not be presented as a substitute for updating the browser. Nor should administrators infer that changing a website’s headers, disabling a browser feature, blocking a particular script pattern, or adjusting an unrelated macOS setting removes the vulnerable path. No equivalent workaround is established in the supplied information.
The reliable remediation is version based: update Google Chrome on Mac to 150.0.7871.47 or a later supported release, relaunch it, and verify the version that is actually running.

The Scores Explain Context, but the Version Decides Exposure​

The vendor and CISA-ADP ratings provide different forms of context.
Chromium’s Medium rating is the product vendor’s security classification. CISA-ADP’s 3.1 LOW result is a standardized CVSS 3.1 calculation based on the vector included in the supplied record. The two should be displayed side by side with clear attribution.
There is no need to claim that one rating overrides the other or to invent an explanation based on severity guidance not included in the permitted material. The record supports the narrower observation that the assessments use different labels and that the CISA-ADP vector includes substantial mitigating conditions.
Those mitigating conditions are visible in the vector itself:
  • The attack is network reachable.
  • The attack complexity is high.
  • The attacker requires no prior privileges.
  • User interaction is required.
  • The recorded effect is limited to low confidentiality impact.
  • No integrity impact is recorded.
  • No availability impact is recorded.
That combination supports a lower numerical priority than a browser vulnerability offering automatic code execution or total confidentiality, integrity, and availability impact. It does not change the binary exposure decision for an individual Mac.
If the Mac is running Google Chrome earlier than 150.0.7871.47, it remains within the documented affected range. If Chrome is running 150.0.7871.47 or later after relaunch, it has crossed the published fix boundary.
The lack of an NVD-authored CVSS score is also important for reporting accuracy. A security console may import NVD data and display the CISA-ADP score without making the contributor obvious. Internal advisories should identify the 3.1 LOW score as CISA-ADP’s assessment rather than calling it an NVD rating.
Teams should use the ratings to communicate context, not to postpone a low-cost browser update. No exploit-development judgment or speculative data-loss scenario is needed to justify moving an affected installation to the corrected version.

The Disclosure Record Was Enriched in Stages​

The supplied vulnerability information reflects contributions from more than one organization. The available record establishes a sequence of vendor disclosure and later enrichment, but it does not support assigning every data element to a particular unverified calendar date.

Timeline​

Chrome-originated record: Chrome supplied the description of an inappropriate implementation in DataTransfer, the Mac scope, the crafted-HTML and specific-gesture conditions, the cross-origin leakage impact, the Medium vendor severity, and associated references.
CISA-ADP enrichment: CISA-ADP contributed the CVSS 3.1 vector and 3.1 LOW base score. It also supplied the CWE-352 mapping.
CISA SSVC assessment: The supplied SSVC data recorded exploitation as none, automatable as no, and technical impact as partial.
NIST/NVD configuration enrichment: The affected configuration identifies Google Chrome versions below 150.0.7871.47 in association with macOS. The supplied record does not include an NVD-authored CVSS 4.0, 3.x, or 2.0 assessment.
Current operational threshold: Google Chrome on macOS before 150.0.7871.47 is affected. Version 150.0.7871.47 or later is the remediation boundary established by the supplied information.
This staged record explains why vulnerability tools can show several organizations beside one CVE. The vendor description, contributed CVSS score, SSVC decision data, CWE classification, product normalization, and platform configuration are not necessarily authored by one party.
Administrators should retain that provenance when moving the record into internal ticketing or risk systems. In particular:
  • Label Medium as Chromium’s severity.
  • Label 3.1 LOW as CISA-ADP’s CVSS 3.1 assessment.
  • Label the SSVC exploitation status as the supplied CISA assessment.
  • Do not call the contributed 3.1 score an NVD-authored score.
  • Use the normalized macOS configuration and fixed-version boundary to identify affected installations.
  • Avoid publishing precise disclosure or modification dates unless those dates have been separately verified from the underlying change-history entries.
This approach is more accurate than presenting the CVE as a single unified judgment. It also protects later reporting from confusion if one contributor updates its assessment while another field remains unchanged.

Mac Fleets Need a Verified Version Audit​

For individual users, the remediation procedure is exact:
  1. Open Google Chrome on the Mac.
  2. Select the three-dot Chrome menu (⋮).
  3. Select Help.
  4. Select About Google Chrome.
  5. Let Chrome check for and install the available update.
  6. Click Relaunch when the button appears.
  7. After Chrome reopens, return to ⋮ > Help > About Google Chrome.
  8. Confirm that the displayed version is 150.0.7871.47 or later.
The final verification step is essential. Seeing an update notification, starting a download, or being told that an update was assigned does not prove that the corrected browser is running. Compliance should be based on the full version displayed after Chrome has relaunched.
Users should not stop after confirming only the major release. “Version 150” is incomplete evidence because affected and corrected builds can share that major number. The success condition is the complete displayed version: 150.0.7871.47 or later.
Managed environments should apply the same test at fleet scale. Inventory and deployment systems can help deliver the update, but a deployment job marked successful is not necessarily the same as current evidence from the active installation. Systems with old, missing, or partial inventory data should remain unresolved until their running version is confirmed.

Action checklist for administrators​

Immediate remediation​

  • Inventory Google Chrome installations across managed Macs.
  • Identify every complete version earlier than 150.0.7871.47.
  • Deploy Chrome 150.0.7871.47 or a later supported release through the organization’s established update process.
  • Instruct users to open ⋮ > Help > About Google Chrome, let the update complete, and click Relaunch.
  • Verify the complete displayed version after Chrome restarts.
  • Treat missing, stale, or major-version-only results as unresolved.

Scope validation​

  • Confirm that inventory records refer specifically to Google Chrome on macOS.
  • Do not apply this CVE’s macOS configuration to Windows or Linux without separate authoritative information.
  • Do not assume that updating Microsoft Edge, another Chromium-derived browser, or macOS itself updates Google Chrome.
  • Check other browsers against their vendors’ own affected-version and fixed-version information.
  • Distinguish production Chrome installations from beta, development, test, or specially packaged builds.

Risk communication​

  • Describe the issue as a user-assisted cross-origin data leak through crafted HTML.
  • State that Chromium rated it Medium and CISA-ADP scored it 3.1 LOW.
  • State that the supplied SSVC assessment records exploitation as none.
  • Do not claim that credentials, tokens, files, clipboard contents, or other named data types were exposed.
  • Do not claim code execution, sandbox escape, malware installation, or control of the Mac.
  • Do not treat the presence of an affected version as proof of compromise.
  • Avoid inventing the gestures, lure, exploit workflow, or technical implementation details.

Compliance reporting​

  • Record all four components of the installed Chrome version.
  • Separate confirmed remediation from pending, offline, stale, or unknown status.
  • Recheck devices that remain below 150.0.7871.47.
  • Retain current version evidence using the organization’s normal management and audit process.
  • Keep the source of each severity field visible in internal reports.
  • Reassess the entry if authoritative sources later change the affected range or exploitation status.
A concise user notice can remain factual and actionable:
Google has fixed a Chrome security vulnerability affecting Mac versions earlier than 150.0.7871.47. Open Chrome and select ⋮ > Help > About Google Chrome. Let the update install, click Relaunch, and confirm that the displayed version is 150.0.7871.47 or later.
That message avoids both understatement and unsupported alarm. It tells users what is affected, what to do, and how to confirm success.

Detection Should Not Replace Version Remediation​

The supplied record does not provide a public exploit signature, exact gesture sequence, affected method list, or reproducible network pattern. It therefore does not support detailed telemetry or detection recommendations tailored specifically to successful exploitation of CVE-2026-13944.
Administrators should not claim that a particular browser event, log entry, script pattern, domain category, or endpoint alert reliably detects this vulnerability. Generic security evidence may still matter in an independently suspicious incident, but the CVE record itself does not establish a specialized detection method.
The clearest control is removal of the affected version. A Mac below 150.0.7871.47 requires remediation; a Mac verified at 150.0.7871.47 or later has crossed the documented threshold.
If separate evidence suggests malicious activity, organizations should follow their established incident-response procedures. Exposure to this CVE alone, however, is not evidence that exploitation occurred. That distinction aligns with the supplied SSVC status, which records exploitation as none.

The Practical Decision Is Simple​

CVE-2026-13944 is narrower than a browser takeover and more concrete than a theoretical concern. The supplied record establishes an inappropriate DataTransfer implementation in Google Chrome on Mac that could allow cross-origin data leakage from crafted HTML after specific user gestures.
It does not establish the exact leaked data, public exploitation, code execution, system compromise, or an exploit-specific detection method. Its attack conditions include high complexity and required user interaction, and CISA-ADP’s CVSS 3.1 assessment is 3.1 LOW. Chromium’s own product-security rating is Medium. NVD has not supplied its own CVSS assessment in the provided material.
For end users, the answer is immediate: open Chrome menu (⋮) > Help > About Google Chrome, let Chrome update, click Relaunch, and confirm that the displayed version is 150.0.7871.47 or later.
For administrators, the response is measurable: identify Google Chrome installations on managed Macs, compare their complete running versions with 150.0.7871.47, use the established managed update process, and retain current evidence that each in-scope installation crossed the boundary.
Future authoritative information could change the exploitation assessment or expand the product guidance. Until then, the defensible conclusion remains precise: Google Chrome on macOS before 150.0.7871.47 is affected; 150.0.7871.47 or later is the fix boundary; and the supplied SSVC data records no exploitation.

References​

  1. Primary source: NVD / Chromium
    Published: 2026-07-11T15:39:42-07:00
  2. Security advisory: MSRC
    Published: 2026-07-11T15:39:42-07:00
    Original feed URL
  3. Official source: developer.mozilla.org
  4. Related coverage: chromium.org
 

Back
Top