CVE-2026-13974: Update Chrome for macOS to 150.0.7871.47

Google Chrome on macOS must be updated to version 150.0.7871.47 or later for CVE-2026-13974. The vulnerability is an integer overflow in Safe Browsing that could allow a remote attacker to bypass navigation restrictions through a malicious file.
The documented scope is specific: Google Chrome on macOS before version 150.0.7871.47. Windows and Linux are not identified as affected. Chromium rates the issue Medium, while CISA-ADP contributed a CVSS 3.1 score of 8.1 HIGH. Those assessments have different provenance and should be reported separately.
CISA-ADP’s CVSS vector includes UI:R, but the vendor description itself does not independently define the exact interaction sequence or exploit prerequisites. The public record does not document arbitrary code execution, sandbox escape, credential theft, or full compromise of macOS.
Mac users and administrators should install a release that meets the supplied remediation threshold, then verify the complete installed Chrome version. Organizations should use their approved browser-update process; the supplied vulnerability record does not support a specific Chrome user-interface procedure.
Who needs to act
Users and administrators responsible for Macs running Google Chrome earlier than 150.0.7871.47.
What to do
Update Chrome through an approved user or enterprise process, then confirm that the complete installed version is 150.0.7871.47 or later.
Who is not identified as affected
Chrome installations on Windows or Linux are not identified as affected by CVE-2026-13974. Other Chromium-based browsers also require product-specific evidence before they are classified as affected.

A MacBook displays a Chrome security update notice, with macOS scope and risk assessments shown alongside.A Medium Chrome Bug With a Narrowly Documented Outcome​

Chrome’s description states that an integer overflow in Safe Browsing could allow a remote attacker to bypass navigation restrictions through a malicious file. That establishes the affected component, the defect type, the remote context, the malicious-file condition, and the documented security result.
It does not establish a more expansive impact. The supplied record does not say that CVE-2026-13974 permits arbitrary code execution, memory disclosure, sandbox escape, persistence, credential theft, unrestricted control of Chrome, or compromise of macOS.
The phrase “malicious file” is also not accompanied by a public file type, triggering structure, delivery mechanism, or technical proof of concept. Security communications should not name a particular document, archive, disk image, media format, or other file category without additional evidence.
CISA-ADP’s contributed CVSS vector includes the user-interaction metric UI:R. That is appropriately described as part of CISA-ADP’s assessment, not as a detailed vendor-confirmed account of what the user must do. The available material does not provide enough information to label a specific workflow, explain the interaction, or make broader claims about exploit automation.
The associated Chromium issue is permission-restricted, limiting public technical analysis. The record does not expose the affected function, arithmetic operation, implementation path, source-code change, or reason that the affected-product configuration is limited to macOS. Those gaps should not be filled with inferred exploit mechanics.
What is not confirmed
  • No public exploit mechanics are provided.
  • No CVE-specific indicators of compromise are documented.
  • No impact beyond a navigation-restriction bypass is documented in the vendor description.
The defensible response is therefore straightforward: address the affected Mac versions while keeping descriptions of the vulnerability within the limits of the available record.

Chromium Medium and CISA-ADP 8.1 HIGH Are Separate Assessments​

The most prominent metadata difference is the split between Chromium’s Medium severity and CISA-ADP’s 8.1 HIGH CVSS 3.1 score. Neither label should be stripped of its attribution or presented as the sole authoritative description.
Chromium’s Medium rating is the vendor’s product-security classification. CISA-ADP contributed this CVSS 3.1 vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
The vector models a network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, no confidentiality impact, and high integrity and availability impacts.
These are scoring inputs. They are not a substitute for the vendor’s description of the demonstrated or documented outcome. In particular, CISA-ADP’s high integrity and availability selections should not be presented as evidence of a specific effect such as permanent system modification, browser-profile corruption, denial of service, or damage to macOS. None of those outcomes is described in the supplied Chrome summary.
The score should also not be attributed to NIST. NVD displays the CISA-ADP contribution, but the supplied record does not contain a NIST-authored CVSS 3.x assessment. Accurate reporting keeps both labels intact:
  • Chromium severity: Medium.
  • CISA-ADP CVSS 3.1: 8.1 HIGH.
  • Vendor-documented result: Navigation-restriction bypass through a malicious file.
  • CISA-ADP interaction metric: UI:R.
This distinction matters in vulnerability dashboards and remediation tickets. Reporting only “Medium” omits the contributed standardized score; reporting only “8.1 HIGH” obscures the vendor classification and may encourage unsupported assumptions about impact.

The Mac Boundary Is Operationally Important​

The affected-product configuration identifies Google Chrome on Apple macOS before version 150.0.7871.47. It does not identify Chrome on Windows or Linux as affected.
That platform boundary should remain attached to the CVE as it moves through scanners, asset systems, tickets, and executive reporting. A shared Chromium foundation does not, by itself, establish that every desktop platform or Chromium-derived browser is affected by this particular vulnerability.
Platform and stateChrome versionStatus in supplied recordAdministrative treatment
macOSEarlier than 150.0.7871.47AffectedUpdate and verify the complete version
macOS150.0.7871.47 or laterOutside the documented affected rangeMeets the supplied remediation threshold
WindowsAny versionNot identified as affectedDo not classify as vulnerable from this record alone
LinuxAny versionNot identified as affectedDo not extrapolate the macOS finding
Other Chromium-based browsersAny versionNot establishedObtain information from the relevant vendor
Version 150.0.7871.47 or later should be described only as outside the documented affected range or as meeting the supplied remediation threshold. The available facts do not support the stronger assertion that installing it necessarily “removes” every manifestation or consequence of the issue.
The complete four-part version matters. A report that records only the major release, such as “Chrome 150,” cannot show whether a Mac is below, at, or above 150.0.7871.47.

Weakness Metadata and Record Provenance​

The NVD change history indicates that the weakness metadata changed over time. Chrome supplied CWE-472, External Control of Assumed-Immutable Web Parameter. CISA-ADP later added CWE-190, Integer Overflow or Wraparound, and that mapping was subsequently removed. CWE-472 remains the current mapping in the supplied record.
The public material does not explain why CWE-190 was added and later removed. It would be speculative to characterize the change as a correction, a technical disagreement, or a new conclusion about root cause.
The supportable distinction is that the Chrome description calls the defect an integer overflow, while CWE-472 is the weakness category retained in the record. A concrete vulnerability description and a taxonomy field are related pieces of metadata, but they do not perform the same function.
This is also a reason to preserve attribution when vulnerability information is consolidated:
  • Chrome supplied the concise vulnerability description and its Medium severity.
  • CISA-ADP supplied the CVSS vector, score, and SSVC fields.
  • The weakness record reflects contributions and later changes.
  • NIST’s affected-product analysis associates the vulnerable Chrome range with macOS.
Flattening those contributions into a single unattributed summary can produce avoidable errors. Examples include calling 8.1 an NVD-authored score, describing CWE-190 as the current mapping, or expanding an SSVC field into a claim that the field itself does not make.

CISA-ADP’s SSVC Fields Add Context​

CISA-ADP’s Stakeholder-Specific Vulnerability Categorization contribution lists:
  • Exploitation: none.
  • Automatable: no.
  • Technical impact: partial.
These values should be reported as assessment fields rather than converted into broader factual declarations.
“Exploitation: none” does not, on the supplied facts alone, prove the universal absence of proof-of-concept code, research activity, or private exploitation. The accurate statement is simply that CISA-ADP lists exploitation as none.
“Automatable: no” should likewise remain an attributed SSVC value. It does not establish that every conceivable use of the vulnerability would be impossible to scale, nor does it support claims about self-propagation.
“Technical impact: partial” provides prioritization context but does not expand the vendor-documented impact beyond a navigation-restriction bypass.
Taken together, the SSVC fields support a measured response: remediate affected Macs promptly, preserve the exact scope, and avoid declaring a confirmed compromise or emergency condition solely from this record.

Timeline​

June 30, 2026 — Chrome-originated publication: Chrome supplied the core description of an integer overflow in Safe Browsing that could allow a remote attacker to bypass navigation restrictions through a malicious file. Chromium classified the vulnerability as Medium and identified the affected boundary as Chrome on Mac before version 150.0.7871.47.
July 2, 2026 — Record modification and enrichment: The supplied record shows modification and enrichment activity, including CISA-ADP’s CVSS 3.1 contribution and SSVC fields and NIST’s affected-product analysis.
Weakness metadata changes: CWE-190 was added and later removed. CWE-472 remains the current weakness mapping in the supplied record. No public explanation for that change is established by the provided material.
Current remediation threshold: Chrome 150.0.7871.47 or later on macOS is outside the documented affected range.

Short Admin Guide for Mixed Windows and Mac Fleets​

The WindowsForum-specific operational risk is over-scoping a macOS vulnerability across a mixed fleet—or missing affected Macs because browser reporting is centered on Windows.
Use an inventory question that preserves both platform and full-version precision:
Which managed Macs report Google Chrome earlier than 150.0.7871.47?
Do not use a query that returns only “Chrome installed,” combines all operating systems, or captures only the major browser version. Missing or incomplete version data should be treated as unresolved rather than automatically compliant.
A practical macOS inventory query should retrieve the application’s full version string. For example, an administrator using a shell-based inventory mechanism can read the installed application bundle’s version field:
/usr/bin/defaults read "/Applications/Google Chrome.app/Contents/Info.plist" CFBundleShortVersionString
Organizations may need to adapt the application path or collection method to their managed environment. This command is general inventory guidance, not a procedure prescribed by the CVE record.

Admin checklist​

  • Identify managed macOS devices with Google Chrome installed.
  • Collect the complete Chrome version, including all four version components.
  • Flag versions earlier than 150.0.7871.47.
  • Treat missing, stale, or truncated version results as unresolved.
  • Deploy a release meeting or exceeding the supplied threshold through the organization’s approved process.
  • Verify the resulting installed version after remediation.
  • Do not mark Windows or Linux devices vulnerable from CVE-2026-13974 alone.
  • Do not extend the finding to Microsoft Edge or another Chromium-derived browser without vendor-specific evidence.
  • Record Chromium Medium and CISA-ADP 8.1 HIGH as separately attributed assessments.
  • Describe UI:R as part of CISA-ADP’s CVSS vector, not as a detailed vendor-confirmed exploit sequence.
  • Record the CISA-ADP SSVC exploitation field as “none” without expanding its meaning.
  • Keep unresolved Macs assigned to an owner until the full installed version is known.
  • Monitor the authoritative Chrome and NVD records for changes in scope or technical detail.
A reasonable closure criterion is that every in-scope Mac reports Chrome 150.0.7871.47 or later, or remains documented as an unresolved exception with an identified owner and remediation plan.

Precision Matters More Than Speculation​

CVE-2026-13974 demonstrates how vulnerability data can become distorted as it passes from a vendor notice into databases, scanners, dashboards, tickets, and internal summaries.
A scanner may foreground the 8.1 score without showing that CISA-ADP contributed it. A briefing may mention only Chromium’s Medium label. An asset rule may match every Chrome installation without applying the macOS condition. A ticket may repeat a removed CWE mapping or transform the CVSS impact fields into outcomes not documented by the vendor.
Each shortcut creates a different problem. Overbroad matching sends administrators after Windows and Linux systems not identified as affected. Incomplete version reporting prevents reliable comparison with 150.0.7871.47. Lost attribution blurs the difference between vendor severity and a contributed standardized score. Speculative impact language can turn a documented navigation-restriction bypass into an unsupported claim of complete compromise.
The durable response is narrower and more useful: preserve the product, operating system, complete version boundary, confirmed outcome, current weakness mapping, and provenance of each assessment.
For WindowsForum readers managing mixed estates, the practical next step is clear. Query Macs for the full Google Chrome version, remediate installations earlier than 150.0.7871.47, and verify that they meet the supplied threshold. Keep Windows and Linux outside this CVE’s scope unless new product-specific evidence says otherwise, and continue watching the authoritative record for any future expansion of the affected range or public technical detail.

References​

  1. Primary source: NVD / Chromium
    Published: 2026-07-11T15:39:43-07:00
  2. Security advisory: MSRC
    Published: 2026-07-11T15:39:43-07:00
    Original feed URL
 

Back
Top