CVE-2026-13975: Update Chrome for Mac to 150.0.7871.47

Answer
  • Affected: Google Chrome on macOS before 150.0.7871.47
  • Action: Update Chrome, relaunch it, and confirm version 150.0.7871.47 or later
  • Windows: Not identified as affected in the supplied CVE record
  • Urgency: Prompt routine remediation; the supplied record contains no evidence of exploitation
The most important complication is a documented metadata discrepancy. The CVE description and affected-version data identify Chrome on macOS before 150.0.7871.47 as affected, but the NIST CPE range stops before 150.0.7871.46. That leaves version 150.0.7871.46 treated differently across fields in the public record.
Administrators should use 150.0.7871.47 as the minimum verified version. This follows the explicit threshold in the vulnerability description and affected-version entry without speculating about why the CPE range differs. A Mac running 150.0.7871.46 should therefore remain in the remediation population.
CVE-2026-13975 is a medium-severity out-of-bounds read in ANGLE. According to the CVE description, a remote attacker who has already compromised a renderer process can use a crafted HTML page to obtain potentially sensitive information from process memory. The prerequisite sharply limits what can be claimed: this record does not describe the vulnerability as a standalone browser takeover, direct sandbox escape, or independently sufficient path to code execution.
The supplied record also does not establish active exploitation. The proportionate response is to update affected Macs promptly, verify the running browser version after relaunch, and avoid either sensationalizing the issue or allowing its medium rating to turn it into indefinite maintenance backlog.

Security graphic warns of a Chrome ANGLE vulnerability affecting macOS, with Windows unaffected.The Version Records Do Not Line Up Perfectly​

The clearest remediation threshold appears in the CVE description: Google Chrome on Mac before 150.0.7871.47 is affected. The affected-version information likewise uses 150.0.7871.47 as its less-than boundary.
NIST’s CPE configuration is narrower. It combines the Chrome application CPE with Apple macOS, but the Chrome range extends up to, excluding, 150.0.7871.46. Read literally, that range omits 150.0.7871.46 even though the description and affected-version entry place versions before 150.0.7871.47 within scope.
RecordPlatform scopeVersion conditionOperational interpretation
CVE descriptionGoogle Chrome on MacBefore 150.0.7871.47Versions below 150.0.7871.47 are identified as affected
Affected-version entryGoogle ChromeLess than 150.0.7871.47Establishes 150.0.7871.47 as the remediation threshold
NIST CPE configurationChrome combined with macOSUp to, excluding, 150.0.7871.46Narrower than the description and affected-version entry
Verification targetChrome on macOS150.0.7871.47 or laterAppropriate minimum for remediation checks
This should be described as a documented metadata discrepancy, not as proof of a particular publication, synchronization, or normalization problem. The record establishes that the fields differ; it does not explain why they differ.
For remediation, the conservative and textually supported choice is straightforward: require Chrome 150.0.7871.47 or later on macOS. That avoids treating a Mac on 150.0.7871.46 as safe based solely on the narrower CPE range.
The discrepancy should also be included in internal validation notes. If an inventory or security report produces an unexpected result for 150.0.7871.46, analysts should compare the result with the explicit version threshold rather than assuming that one machine-readable field settles the question.
Platform scope is clearer. The supplied CVE record identifies Chrome on Mac, and the NIST configuration pairs Chrome with macOS. It does not identify Chrome on Windows as affected by CVE-2026-13975. Windows installations should not be labeled vulnerable to this specific CVE without additional vendor evidence.

What the Vulnerability Is Documented to Do​

CVE-2026-13975 is classified as CWE-125, an out-of-bounds read. The disclosed result is access to potentially sensitive information from process memory through a crafted HTML page, subject to the prerequisite that the attacker has already compromised the renderer process.
That wording establishes several useful boundaries.
First, the record describes an information-disclosure effect. It does not assign integrity or availability impact, and it does not state that CVE-2026-13975 directly permits an attacker to change data, disrupt the browser, escape a security boundary, or execute code with additional privileges.
Second, user interaction is part of the published CVSS vector. The CISA-ADP assessment assigns CVE-2026-13975 a CVSS 3.1 base score of 5.3 with the vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N. In practical terms, that assessment describes a network-reachable issue with high attack complexity, no required privileges, required user interaction, high confidentiality impact, and no assigned integrity or availability impact.
Third, the prerequisite is explicit. A crafted page alone is not documented as sufficient; the attacker must already have compromised the renderer process. The public record does not identify the separate vulnerability or technique that would satisfy that condition.
It is fair, as general security context, to observe that a vulnerability requiring prior renderer compromise could potentially matter as one part of a broader attack. It is not fair to claim that CVE-2026-13975 defeats a specific defense, makes another exploit reliable, reveals a particular category of secret, or has been integrated into a multi-vulnerability chain. None of those conclusions is established by the supplied record.
That distinction consolidates the score-versus-chain issue into a single qualified point: the medium score reflects the documented vulnerability and its substantial prerequisite, while the prerequisite does not make patching unnecessary. Beyond that, claims about hypothetical exploit chains would outrun the available evidence.

“No Exploitation” Is Reassuring but Time-Bound​

The supplied SSVC information lists exploitation as “none,” automatable as “no,” and technical impact as “partial.” Those labels support prompt routine remediation rather than emergency handling based on confirmed attacks.
“None” should be read narrowly. It indicates that the assessment record did not identify exploitation; it is not a guarantee that exploitation is impossible or will never be reported. Likewise, “no” for automatable is an assessment value, not proof that every conceivable attack would require manual operation.
The absence of supplied exploitation evidence is still operationally important. It means the record does not support calling CVE-2026-13975 an exploited zero-day, an active campaign, or an emergency comparable to a browser flaw with confirmed attacks in the wild.
At the same time, no elaborate theory is needed to justify remediation. The affected platform and minimum safe version are explicit, and updating a supported browser is the direct corrective action. The suitable posture is measured: do not manufacture an incident, but do not leave affected versions in place simply because the published severity is medium.

The Renderer Prerequisite Must Remain in Every Summary​

Short vulnerability summaries often lose conditions as they move from a CVE record into tickets, newsletters, and executive reports. That would materially distort this issue.
An inaccurate summary might say that visiting a crafted webpage lets an attacker read sensitive Chrome memory. The supplied description is more constrained: the attacker must first compromise the renderer process and can then use a crafted HTML page to obtain potentially sensitive information from process memory.
The difference affects both urgency and communication. CVE-2026-13975 should not be presented as an independent one-click compromise based on the current evidence. Conversely, the prerequisite should not be converted into a reason to ignore the vulnerability. It is a condition on exploitation, not a statement that affected software requires no remediation.
Useful internal wording would be:
CVE-2026-13975 is an out-of-bounds read affecting Chrome on macOS before 150.0.7871.47. The CVE description says an attacker who has already compromised the renderer process can use a crafted HTML page to obtain potentially sensitive information from process memory. No exploitation is identified in the supplied record.
That formulation retains the confirmed effect, prerequisite, platform, version threshold, and exploitation status without adding unsupported architectural or attack-chain claims.

End Users Should Update, Relaunch, and Verify​

Mac users should complete the update through Chrome and then verify the exact version:
  1. Open Google Chrome.
  2. Select the Chrome menu (⋮).
  3. Select Help.
  4. Select About Google Chrome.
  5. Allow the version check to complete.
  6. If Relaunch is offered, select it.
  7. After Chrome opens again, return to Chrome menu (⋮) > Help > About Google Chrome.
  8. Confirm that the displayed version is 150.0.7871.47 or later.
The verification step matters because the security threshold is expressed as a version number. Users should not infer compliance merely from having opened the About page or having seen an update message. The conclusive check for this article’s purposes is the version displayed after completing the offered relaunch: 150.0.7871.47 or later.
If Chrome continues to display an earlier version, the device remains below the documented remediation threshold. The user should report the problem to the organization’s support or administration team rather than assuming that no further action is needed.
Windows users do not need to treat this procedure as remediation for CVE-2026-13975 based on the supplied record, because that record identifies macOS rather than Windows as affected. They may still follow their organization’s normal browser-maintenance requirements, but Windows should not be added to this CVE’s scope without supporting evidence.

Action checklist for administrators​

  • Inventory Chrome installations on managed Macs.
  • Identify every Mac reporting a Chrome version below 150.0.7871.47.
  • Instruct affected users to open Chrome menu (⋮) > Help > About Google Chrome and allow the check to complete.
  • Tell users to select Relaunch if that option appears.
  • Verify that Chrome reports 150.0.7871.47 or later after the relaunch.
  • Keep Macs on 150.0.7871.46 in the remediation population.
  • Document the conflict between the CPE range and the description’s version threshold.
  • Do not extend the affected-platform designation to Windows without further vendor evidence.
  • Escalate Macs that cannot reach the minimum version through the organization’s established browser-support process.
  • Preserve the renderer-compromise prerequisite and the absence of supplied exploitation evidence in internal tickets and reports.
This checklist intentionally stays close to what the record can support. It does not assume particular management products, policy settings, update services, monitoring capabilities, or deployment workflows. Organizations can apply their own tooling, but the common success criterion is a Mac running Chrome 150.0.7871.47 or later.

The Severity Assessment Needs Precise Attribution​

The published CVSS 3.1 base score is 5.3, assigned by CISA-ADP. The vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N.
That score should not be described as an NVD score. The supplied information says NVD lists no assessment for CVSS 4.0, CVSS 3.x, or CVSS 2.0. NVD’s absence of a score is not itself a severity judgment and should not be paraphrased as evidence that the vulnerability is insignificant.
The CISA-ADP vector identifies high confidentiality impact but no integrity or availability impact. It also identifies high attack complexity and required user interaction. Those values are consistent with the CVE description’s prerequisite and its focus on obtaining potentially sensitive information from process memory.
The medium score is therefore understandable within the documented conditions. There is no need to inflate it with unsupported claims about defeating memory protections or completing an exploit chain. There is equally no need to treat “medium” as permission to disregard a browser security update with a clearly stated fixed-version threshold.
A concise priority statement is enough: remediate promptly through the normal security-update process, with faster attention for devices that remain below the threshold, while reserving emergency incident language for evidence that is not currently present in the supplied record.

The Record Contains a Restricted Chromium Issue​

The associated Chromium issue requires permission. That is the fact established by the supplied material. The record does not, by itself, establish why access is restricted, how long that restriction will remain, whether related code is still exposed, or what disclosure policy was applied in this particular case.
The restricted status limits technical conclusions. Publicly available information identifies the component, weakness category, affected platform, prerequisite, potential confidentiality effect, and remediation threshold. It does not provide enough detail to claim a particular memory layout, affected data type, exploit technique, detection signature, or forensic artifact.
Defenders should therefore build their response around the facts that are available rather than waiting for or speculating about technical details:
  • The affected platform is macOS.
  • Affected Chrome versions are before 150.0.7871.47.
  • The vulnerability is an out-of-bounds read.
  • The documented potential outcome is disclosure of sensitive process memory.
  • Prior renderer compromise is required.
  • The supplied assessment identifies no exploitation.
  • Updating and verifying version 150.0.7871.47 or later is the corrective action.
Restricted technical details are a reason for restraint in analysis, not a reason to postpone the version check.

Timeline​

The timestamps need to remain attached to the events they actually describe. In particular, the CISA-ADP CVE modification timestamp and the SSVC timestamp are different. The record does not establish that the full SSVC assessment was added at the earlier modification time.
June 30, 2026, 10:16:54 PM: The supplied record gives this as the CISA-ADP CVE modification timestamp.
July 1, 2026, 1:22:06.217898 AM UTC: The supplied SSVC data carries the timestamp 2026-07-01T01:22:06.217898Z, with exploitation assessed as none, automatable as no, and technical impact as partial.
These entries should not be used to infer when the corrected Chrome build first shipped. The supplied NVD facts establish CVE receipt or publication information and the existence of a vendor-advisory reference, but they do not establish a June 30 release date for the fix.
Likewise, the available material does not support stating that a stable-channel announcement listed Chrome 150.0.7871.46/.47 for Windows and Mac. That release claim should remain outside the timeline unless a separate source directly establishes it.
The defensible chronology is therefore limited to the timestamps actually present in the supplied vulnerability record. The remediation decision does not depend on reconstructing an unsupported release date because the affected-version threshold itself is explicit.

Mixed Windows and Mac Fleets Need Precise Scoping​

CVE-2026-13975 is relevant to Windows-focused administrators because many organizations manage mixed fleets, but that does not make Windows an affected platform.
The supplied CVE description identifies Google Chrome on Mac, while the NIST configuration combines the Chrome application entry with macOS. Nothing in the supplied record identifies Chrome on Windows as affected. Tickets, summaries, and asset lists should preserve that distinction.
Over-scoping creates unnecessary work and can reduce confidence in vulnerability communications. If every Chrome installation is labeled vulnerable despite a Mac-specific record, users and administrators may have difficulty separating evidence-based remediation from generic patch messaging.
Under-scoping is also possible. An organization that primarily manages Windows may overlook a smaller Mac population. The correct response is not to redefine the CVE as a Windows issue, but to ensure that the actual Mac population is included in the version check.
The version discrepancy makes precision especially important. A useful inventory result should distinguish at least these categories:
Device stateCVE-2026-13975 treatment
Mac with Chrome below 150.0.7871.47Identified as affected; remediate
Mac with Chrome 150.0.7871.46Keep in scope despite the narrower CPE range
Mac with Chrome 150.0.7871.47 or laterMeets the stated remediation threshold
Windows device running ChromeNot identified as affected in the supplied CVE record
Device with unknown OS or Chrome versionGather enough information to classify it
This approach separates platform scope from general browser-update policy. An organization may choose to update Chrome everywhere, but its CVE reporting should still accurately state which systems the available record identifies as affected.

Avoid Unsupported Detection and Incident Claims​

The public record does not provide a unique indicator of compromise, exploit signature, log pattern, crash signature, or forensic artifact for CVE-2026-13975. It also does not establish what any particular scanner, endpoint product, browser console, or vulnerability platform can detect.
Security teams should avoid treating a generic browser crash, contact with a webpage, or the presence of Chrome on a Mac as proof of exploitation. The vulnerability’s documented prerequisite and effect are too specific for those observations to establish causation.
Similarly, a report that does not flag the CVE should not be used by itself to override the explicit version threshold, particularly for Chrome 150.0.7871.46. The documented CPE discrepancy is enough to warrant direct comparison against the minimum safe version.
If an organization encounters suspicious activity, it should follow its established incident-response process and evaluate all available evidence. CVE-2026-13975 may be considered where the affected platform and version align, but the supplied record does not support a CVE-specific detection playbook.
This restraint improves the article’s usefulness. Defenders receive a clear remediation target without being given invented certainty about what their tools will show or what an attack would leave behind.

What the Record Does—and Does Not—Establish​

The confirmed case can be summarized compactly.

Established by the supplied record​

  • The vulnerability is CVE-2026-13975.
  • It is associated with an out-of-bounds read in ANGLE.
  • It affects Google Chrome on macOS before 150.0.7871.47.
  • It requires prior renderer-process compromise.
  • A crafted HTML page can then be used to obtain potentially sensitive information from process memory.
  • CISA-ADP assigns a CVSS 3.1 score of 5.3.
  • The SSVC data lists exploitation as none, automatable as no, and technical impact as partial.
  • The NIST CPE range is narrower than the version threshold in the description and affected-version entry.
  • The associated Chromium issue requires permission.

Not established by the supplied record​

  • That the fix shipped on June 30, 2026.
  • That a particular stable-channel announcement listed versions 150.0.7871.46/.47 for Windows and Mac.
  • That Windows or Linux is affected.
  • That CVE-2026-13975 is being exploited.
  • That it independently enables browser takeover, code execution, or a sandbox escape.
  • That it defeats randomization or reveals a specific category of data.
  • That it has been used in a multi-flaw exploit chain.
  • Why the CPE range conflicts with the other version fields.
  • Why the Chromium issue is permission-restricted.
  • What scanners, monitoring products, or endpoint tools will report.
  • What forensic or detection artifacts exploitation would produce.
Keeping these two lists separate prevents reasonable security context from turning into unsupported fact.

The Practical Decision Is Simpler Than the Metadata​

CVE records often contain multiple contributors, scoring systems, structured fields, and timestamps. Those details matter, particularly when they conflict, but administrators still need a direct answer.
For CVE-2026-13975, that answer is:
  1. Find Macs running Chrome.
  2. Update any installation below 150.0.7871.47.
  3. Use Chrome menu (⋮) > Help > About Google Chrome.
  4. Allow the check to complete.
  5. Select Relaunch if offered.
  6. Return to the About page and confirm 150.0.7871.47 or later.
  7. Do not classify Windows as affected based on the supplied record.
  8. Record that there is no supplied evidence of exploitation.
  9. Keep 150.0.7871.46 in scope despite the conflicting CPE range.
That is prompt routine remediation, not crisis response. The vulnerability has a meaningful confidentiality impact in its published assessment, but exploitation carries a substantial documented prerequisite. Both facts belong in the same risk decision.

What Mac and Windows Teams Should Carry Forward​

Mac teams should treat Chrome 150.0.7871.47 as the minimum acceptable version for this issue and verify it after completing the end-user update procedure. A browser still reporting 150.0.7871.46 remains below the explicit threshold even though one CPE range is narrower.
Windows teams should not open CVE-specific remediation against Windows systems without additional evidence. Their role in a mixed environment is to help ensure accurate inventory, ownership, communication, and escalation for the affected Macs—not to broaden the platform scope beyond the record.
Security writers and vulnerability analysts should preserve three qualifications in every downstream summary: prior renderer compromise is required, no exploitation is identified in the supplied record, and the structured CPE range conflicts with the description’s threshold.
The forward-looking lesson is not that every medium browser flaw should become an emergency. It is that remediation decisions work best when teams separate confirmed effects from general security context, preserve prerequisites instead of dropping them from summaries, and compare live versions against the clearest supported threshold.
For now, the appropriate endpoint is concrete and verifiable: Chrome on macOS should report version 150.0.7871.47 or later after the update check and relaunch.

References​

  1. Primary source: NVD / Chromium
    Published: 2026-07-11T15:39:44-07:00
  2. Security advisory: MSRC
    Published: 2026-07-11T15:39:44-07:00
    Original feed URL
  3. Related coverage: chromium.org
  4. Related coverage: blog.chromium.org
  5. Official source: pages.nist.gov
 

Back
Top