CVE-2026-14075: Update Chrome for iOS to 150.0.7871.47

Google’s CVE-2026-14075, published June 30, 2026, documents a Chrome for iOS policy-enforcement flaw affecting versions before 150.0.7871.47, through which a remote attacker could use crafted HTML to bypass the browser’s no-referrer policy after a user interacted with the page. Chromium rates the vulnerability Low, while CISA-ADP assigns it a 4.3 MEDIUM score—a difference that reflects competing ways of measuring a flaw that breaks a privacy promise without producing code execution, privilege escalation, or service disruption. The immediate response is uncomplicated: update Chrome for iOS to 150.0.7871.47 or later. The broader lesson is less comfortable: browser privacy controls are only as strong as the least-tested navigation path that implements them.

Cybersecurity dashboard illustrates a referrer-policy bypass and a patch enforcing no-referrer privacy protection.A Low-Severity Flaw Breaks an Explicit Browser Promise​

CVE-2026-14075 is not the kind of Chrome vulnerability that normally dominates security headlines. There is no reported memory corruption, no browser sandbox escape, no account takeover, and no indication in CISA’s decision record that exploitation has been observed. Instead, the flaw sits in a quieter but increasingly important category: the browser accepted a policy instruction and then reportedly failed to enforce it under a crafted condition.
The instruction in question is no-referrer. A website can use Referrer Policy to control what information a browser supplies when the user or page initiates another request. At its strictest, no-referrer tells the browser not to provide referrer information at all.
That is more than a cosmetic preference. Referrer information can reveal where a request originated, helping destination sites, analytics systems, advertising networks, and application infrastructure reconstruct a user’s path across the web. Depending on how a site constructs its addresses, referrer data can also expose navigation context that the originating site intended to keep private.
Google’s CVE description remains deliberately narrow. It says insufficient policy enforcement in Chrome for iOS before 150.0.7871.47 allowed a remote attacker to bypass no-referrer through a crafted HTML page. It does not publicly document the exact navigation sequence, the precise quantity of information exposed, or the application conditions needed to make the disclosure consequential.
That distinction matters. Third-party vulnerability summaries have generally framed CVE-2026-14075 as a privacy leak, which is a reasonable interpretation of a no-referrer bypass, but the official public record does not establish that every successful trigger exposes an entire sensitive address. Nor does it say that credentials, session material, or personal data are necessarily present.
The defensible conclusion is simpler: Chrome for iOS could transmit referrer information in a situation where the page’s policy said that it should transmit none. The actual harm then depends on what that information contains, who receives it, and whether the affected site made the architectural mistake of putting secrets or sensitive workflow state into an address.

Referrer Policy Is a Boundary Even When It Is Not an Access-Control System​

The web’s Referer request header—historically misspelled in the protocol—can identify the page from which a request originated. The corresponding Referrer Policy determines whether that information is sent and, when it is sent, how much detail is available.
Modern browser defaults have become more privacy-conscious, but an explicit no-referrer policy is stronger than simply relying on a default that reduces cross-origin detail. It expresses an unambiguous requirement: do not attach referrer information to requests governed by that policy.
A bypass therefore creates two problems. The first is direct exposure, because information that should have been absent may reach another endpoint. The second is assurance failure, because site operators, security teams, and developers can no longer assume that setting the policy guarantees the expected browser behavior on every affected client.
That second problem explains why a Low-severity browser bug can still deserve serious engineering attention. Security architecture depends on layers behaving predictably. When a browser silently disregards a declared policy, server-side teams may not see an obvious error, users may notice nothing, and conventional endpoint security products may have no malicious process or file to detect.
The request itself may look normal. The unusual condition is that the request carries context the originating application explicitly told the browser to suppress.
This is also why CVE-2026-14075 should not be confused with a conventional authentication bypass. The attacker is not documented as acquiring a user’s account, defeating a login prompt, or obtaining elevated access. The bypass concerns a browser policy governing information associated with navigation or requests.
That distinction should temper alarmist interpretations without making the vulnerability irrelevant. Privacy controls frequently fail not because an attacker steals a database in one dramatic operation, but because metadata leaks through systems that were assumed to be suppressing it.

The Attack Starts With Crafted HTML, Not a Compromised Device​

The CISA-ADP CVSS vector provides a useful summary of the attack conditions: network-accessible, low complexity, no privileges required, and user interaction required. Scope remains unchanged, availability impact is absent, and the recorded impact is limited.
In practical terms, the attacker does not need an existing account or administrative access to the target iPhone. The attacker does, however, need the user to encounter content capable of reaching the vulnerable Chrome for iOS behavior. Google’s description identifies a crafted HTML page as the delivery mechanism.
That requirement is one reason this is not a silent, self-propagating compromise. CISA’s SSVC record says exploitation is “none,” automation is “no,” and technical impact is “partial.” Those values do not prove that exploitation is impossible; they indicate that the available evidence did not show exploitation and that the issue did not fit the profile of a broadly automatable, high-impact event.
The affected boundary is unusually clean:
Chrome for iOS stateVersion rangeCVE-2026-14075 statusPractical treatment
Older installationEarlier than 150.0.7871.47AffectedUpdate as soon as operationally possible
Patched threshold or newer150.0.7871.47 or laterNot listed as affectedVerify deployment and continue normal update enforcement
NIST’s initial analysis associates the vulnerable Chrome application range with Apple’s iPhone operating system configuration. That matters for inventory work: this is specifically a Chrome for iOS issue, not a general declaration that every Chrome installation below the same-looking version on every operating system is affected.
Administrators should therefore avoid writing an imprecise query that treats every Chrome endpoint as vulnerable based only on the version number. The application, platform, and version threshold belong together. A Windows Chrome deployment is not identified in the NVD configuration for this CVE merely because it runs Chrome.

“Low” and “Medium” Are Not Actually a Contradiction​

The most immediately confusing part of the record is the severity split. Chromium calls the vulnerability Low, while CISA-ADP supplies a CVSS v3.1 base score of 4.3 MEDIUM.
Neither label should be silently substituted for the other. Chromium’s severity is the vendor’s security classification. The 4.3 score is CISA-ADP’s structured CVSS assessment based on a specific vector. NVD, as of its July 6, 2026 modification, had not supplied its own CVSS v4.0, v3.x, or v2.0 assessment.
The CISA vector is revealing because it records no confidentiality impact, low integrity impact, and no availability impact. That may seem counterintuitive for a no-referrer bypass, which is naturally discussed as a privacy concern. But CVSS values encode a formal assessment of effects on the vulnerable system, and they do not always map neatly onto the language practitioners use to describe information exposure or policy failure.
This is a recurring weakness in vulnerability triage by headline score. A single number is attractive because it makes sorting easy, but it can conceal the application-specific conditions that determine actual risk.
For a consumer with an ordinary browsing pattern, the likely practical risk may be limited, particularly because interaction is required and no exploitation was identified in the SSVC record. For an organization whose internal web applications place sensitive workflow details in addresses and rely on no-referrer as the final barrier against disclosure, the same browser flaw can deserve faster treatment.
Conversely, calling it Medium does not turn it into an emergency equivalent to a remotely exploitable code-execution vulnerability. The vector does not record an availability impact, a scope change, or an attack that proceeds without user interaction. There is no basis in the supplied record for telling users that their iPhones have been taken over.
The productive reading is that the labels answer different questions. Chromium’s Low rating describes the vendor’s view of overall security severity. CISA-ADP’s 4.3 MEDIUM score represents a standardized combination of remote reachability, low attack complexity, absent privilege requirements, required interaction, and limited impact.
Security teams should record both rather than flattening the issue into whichever label better fits an existing patching policy.

CWE-602 Exposes the Architectural Problem Behind the Browser Bug​

CISA-ADP maps CVE-2026-14075 to CWE-602, “Client-Side Enforcement of Server-Side Security.” That classification is more useful as an architectural warning than as a complete technical explanation of the underlying Chrome defect.
Referrer Policy is necessarily enforced by the browser because the browser constructs the outgoing request. A server can declare the policy, but it cannot reach into an already deployed browser and guarantee that every client-side path implements the instruction correctly.
That creates an unavoidable trust relationship. The application tells the client what information to suppress, and the application then relies on the client to comply. CVE-2026-14075 demonstrates what happens when that enforcement is incomplete.
The wrong response is to stop using Referrer Policy. It remains a valuable privacy control and a standards-based way to reduce unnecessary data disclosure. The right response is to stop treating it as the only protection for information that would be dangerous if exposed.
A security-sensitive application should assume that URLs can appear in more places than expected: browser history, screenshots, copied links, analytics systems, proxy logs, support tickets, monitoring platforms, and, when controls fail, referrer data. Secrets that remain dangerous outside their intended request should not be placed in URL paths or query strings merely because the browser has been instructed not to disclose the referrer.
This is the deeper significance of a policy-bypass CVE. The patch corrects one client. Architecture determines whether the next client failure becomes a minor metadata defect or an incident involving reusable credentials and sensitive business context.

Chrome on iOS Creates a Distinct Patch-Management Problem​

Windows administrators may initially dismiss this as somebody else’s vulnerability. The affected product is Chrome on iOS, and NIST’s configuration pairs the Chrome application range with Apple’s iPhone operating system. No Windows Chrome configuration is identified for CVE-2026-14075.
Yet enterprise computing has not been confined to Windows desktops for years. Windows-heavy organizations routinely depend on iPhones for email, identity verification, administrative portals, remote access, cloud dashboards, collaboration, and browser-based line-of-business applications.
That mixed environment creates a visibility gap. Desktop browser versions may be captured by endpoint inventory, configuration management, and vulnerability scanners, while mobile browsers are updated through an app store and reported—if they are reported at all—through mobile-device management.
A managed iPhone can therefore be compliant at the operating-system level while still carrying an outdated third-party browser. The OS version alone does not answer the CVE-2026-14075 question. Administrators need the installed Chrome for iOS version.
The problem is sharper in bring-your-own-device environments. An organization may be able to enforce conditional access, application protection, or minimum OS requirements without receiving a complete inventory of every browser build. If users can open sensitive corporate applications in unmanaged Chrome for iOS, the organization may have little direct evidence that the patched release has arrived.
That does not justify banning Chrome for iOS across an entire estate. It does justify checking whether mobile browser versions are visible in the organization’s existing management model and whether critical web applications can restrict access from clients that fall below a supported baseline.
The important operational distinction is between availability of an update and verified installation of an update. Consumer app-store updates can make the first happen quickly. Enterprise assurance requires evidence of the second.

The Public Record Tells Administrators What to Patch, but Not Exactly What to Hunt​

The Chromium issue attached to CVE-2026-14075 requires permission. NIST records the reference, but the underlying technical discussion is not publicly readable through the issue page.
That restriction is common for newly disclosed browser vulnerabilities, particularly when developers want to limit exploit-enabling detail while patched versions propagate. It is defensible as a disclosure practice, but it leaves defenders with a sparse public picture.
The available description does not specify the exact HTML construction, request type, navigation transition, or affected browser component. It also does not state whether exploitation leaves a reliable forensic signature that distinguishes it from ordinary web traffic.
As a result, administrators should be skeptical of overly precise detection advice that is not grounded in vendor documentation. A rule that searches for every incoming Referer header from Chrome for iOS would generate ordinary traffic, not evidence of exploitation. Even finding a referrer where an application intended no-referrer would first establish a policy-enforcement mismatch; it would not, by itself, prove malicious triggering.
CISA’s SSVC exploitation value of “none” is the best official signal in the supplied record about active abuse. It should be read literally and narrowly: no exploitation was identified in that assessment. It is not equivalent to a permanent guarantee that nobody has tested or used the flaw.
The responsible detection posture is therefore application-centered. Teams operating high-sensitivity sites can review whether referrer information from protected workflows has appeared unexpectedly in logs belonging to other services under their control. They can also verify that pages declaring no-referrer behave as intended when accessed from patched Chrome for iOS clients.
What they cannot do from the public record is build a high-confidence compromise detector around a fully documented exploit sequence. The necessary technical detail is not available.

Timeline​

June 30, 2026 — Chrome supplied the new CVE record, including the description, affected range, release-notes reference, restricted Chromium issue, and 150.0.7871.47 version threshold.
June 30, 2026 — NVD published CVE-2026-14075.
July 1, 2026 — CISA-ADP added the CVSS v3.1 vector, 4.3 MEDIUM score, CWE-602 mapping, and SSVC assessment.
July 6, 2026 — NIST added its initial affected-software configuration and classified the Chrome references as release notes, a vendor advisory, and a permission-restricted issue.
July 6, 2026 — NVD recorded its last modification date while continuing to show no NVD-provided CVSS assessment.

Patch Management Should Be Faster Than the Debate Over the Score​

Nothing in the record supports an organization-wide emergency change window. Nothing in it supports leaving vulnerable installations in place merely because Chromium used the word Low, either.
The fixed boundary is explicit, the update is narrow, and browser updates are normally less disruptive than compensating controls designed around a known policy defect. That makes CVE-2026-14075 a straightforward patching decision even when its placement in the broader vulnerability queue remains risk-based.
Managed-device teams should identify Chrome for iOS installations earlier than 150.0.7871.47 and move them to the threshold release or newer. If the management platform cannot report individual application versions, this CVE is a useful test of whether the mobile fleet is truly managed or merely enrolled.
The organization should also determine whether update policies permit users to defer app-store updates indefinitely. A device that checks in successfully but allows a vulnerable browser to remain installed for weeks is not delivering the assurance most administrators assume from the word “managed.”
For unmanaged devices, technical enforcement may be more limited. Administrators can still communicate a minimum supported browser version, use application or access controls where available, and prioritize sensitive applications whose users are likely to browse from iPhones.

Action checklist for admins​

  • Inventory Chrome installations specifically on iOS rather than searching all Chrome platforms by version alone.
  • Identify and remediate every Chrome for iOS installation earlier than 150.0.7871.47.
  • Confirm through mobile-device management or equivalent reporting that the patched version is installed, not merely offered.
  • Review whether users can postpone required third-party application updates on managed iPhones.
  • Identify sensitive web applications that depend on no-referrer and test them with the patched browser.
  • Escalate any application that places reusable credentials, reset material, or sensitive workflow data in URLs for architectural remediation.

Web Application Owners Have More Work Than Endpoint Teams​

Updating Chrome addresses the known browser defect. It does not correct an application that relies on a single client-side privacy directive to make dangerous URL design safe.
Web teams should begin by finding where Referrer-Policy is set. The policy may be delivered as an HTTP response header, declared in page markup, or influenced by individual elements. The important question is not simply whether no-referrer appears somewhere, but what information the application assumes will remain private because of it.
That review should focus on authentication and recovery workflows, administrative interfaces, invitation links, document-sharing systems, payment flows, and internal applications whose paths or query strings reveal customer identifiers or operational details. The presence of sensitive information in a URL is a risk independently of CVE-2026-14075.
Short-lived, single-use links can reduce consequences when a URL must carry capability-like state, but expiration does not erase every disclosure risk. A leaked address can still reveal names, internal resource structures, transaction context, or identifiers useful for correlation.
Server-side validation is equally important. A destination should not grant meaningful authority solely because a request appears to have originated from a trusted page, and an application should not assume the absence or presence of a referrer proves a user’s legitimacy. Referrer information is contextual metadata, not a durable authentication mechanism.
This is where the CWE-602 mapping earns its place. If a server’s security depends on a client applying a policy perfectly, the system has made the client part of the security boundary. Browser vendors work hard to uphold that boundary, but the web platform’s history makes perfection a poor architectural prerequisite.
The patch and the architecture review should proceed in parallel. Endpoint teams can close the known vulnerable population quickly. Application teams can reduce the impact of similar policy failures across browsers, embedded web views, automation tools, and future code paths that have not yet acquired a CVE.

The Windows Lesson Is About Mixed-Fleet Blind Spots​

CVE-2026-14075 does not make Windows vulnerable, but it exposes a familiar weakness in Windows-centered operations: the assumption that browser security ends with the managed desktop.
A user may start a workflow in Edge or Chrome on a Windows PC, continue it from an iPhone, approve an identity prompt, and open a corporate link in whichever mobile browser is registered as the default. From the application’s perspective, those are sessions within the same business system. From the IT organization’s perspective, they may cross several disconnected inventories and enforcement systems.
This fragmentation complicates incident response. Web server logs can show requests and user-agent information, identity systems can show sign-ins, endpoint tooling can show Windows browser versions, and mobile management can show iPhone application inventories. Few organizations correlate all four routinely.
A low-impact browser policy flaw is therefore a useful operational exercise. Can the security team answer how many managed iPhones have Chrome installed? Can it identify the installed versions? Can it force or strongly encourage an update? Can application owners name the systems that rely on referrer suppression? Can the organization distinguish managed and unmanaged mobile-browser access?
If the answers are unavailable, the main discovery from CVE-2026-14075 may not be a compromised user. It may be that the enterprise lacks the telemetry required to assess a mobile-browser vulnerability at all.
That is a more durable finding than the CVE itself. Chrome for iOS 150.0.7871.47 can be deployed once. The mobile inventory and application-design weaknesses exposed by the exercise will affect the response to every browser advisory that follows.

What the Evidence Does Not Support​

The public record does not support describing CVE-2026-14075 as remote code execution. It does not support claims of an iPhone takeover, sandbox escape, credential theft, or persistent device compromise.
It also does not establish widespread exploitation. CISA’s SSVC assessment explicitly records exploitation as none, automation as no, and technical impact as partial. Those are important constraints on the story.
Nor does the CISA-ADP score make Chromium’s Low classification false. The two assessments use different frameworks and communicate different judgments. Administrators should retain both in vulnerability records and explain any locally assigned priority in terms of application exposure, fleet size, and update availability.
The NVD page also should not be represented as carrying a finalized NIST score. Its CVSS v4.0, v3.x, and v2.0 sections all show that an NVD assessment had not yet been provided as of the July 6 modification.
Finally, the restricted Chromium issue means that confident claims about the flaw’s internal root cause, exact request flow, or complete exploit mechanics go beyond the public evidence. Such claims may eventually prove accurate, but they should be attributed as third-party analysis rather than presented as confirmed vendor detail.
This restraint is not pedantry. Small browser vulnerabilities are especially vulnerable to exaggeration because the technical description is short and the surrounding language—remote attacker, bypass, crafted HTML—sounds more dramatic when separated from the interaction requirement and limited impact.

The Practical Reading: Update the Browser, Then Audit the Assumption​

CVE-2026-14075 is a bounded vulnerability with a clear affected range and a modest official impact profile. Its real value to defenders is the way it reveals a hidden dependency: websites routinely trust browsers to enforce privacy decisions that the server cannot independently guarantee.
  • Chrome for iOS versions earlier than 150.0.7871.47 are the affected installations identified by NIST.
  • The attack requires crafted HTML and user interaction; no privileges are required.
  • Chromium rates the flaw Low, while CISA-ADP scores it 4.3 MEDIUM.
  • CISA’s SSVC record identifies no exploitation, no broad automation, and partial technical impact.
  • NVD had not supplied its own CVSS assessment as of July 6, 2026.
  • Updating the browser fixes the known client flaw, but removing sensitive data from URLs reduces the consequence of future policy failures.
CVE-2026-14075 will probably not be remembered as one of Chrome’s defining security crises, and that is precisely why it deserves a measured response rather than neglect or panic. The update closes the documented policy bypass; the lasting work is to ensure that mobile browsers are visible to enterprise patch management and that web applications remain secure even when a client-side privacy promise fails.

References​

  1. Primary source: NVD / Chromium
    Published: 2026-07-11T15:40:41-07:00
  2. Security advisory: MSRC
    Published: 2026-07-11T15:40:41-07:00
    Original feed URL
  3. Related coverage: cvefeed.io
  4. Related coverage: caniuse.com
  5. Related coverage: developer.chrome.com
  6. Related coverage: issues.chromium.org
  1. Related coverage: vulnerability.circl.lu
 

Back
Top