CVE-2026-14099: Update Chrome for iOS to 150.0.7871.47

Google disclosed CVE-2026-14099 on June 30, 2026, a use-after-free flaw affecting Chrome for iOS before version 150.0.7871.47 that could let a remote attacker, after inducing specific user-interface gestures on a crafted HTML page, corrupt heap memory on an iPhone running the vulnerable browser build. Google labels the vulnerability Low, while CISA’s enrichment assigns it an 8.8 High score and assumes severe consequences for confidentiality, integrity, and availability. That apparent contradiction is the story: the flaw has a potentially damaging technical endpoint, but its user-interaction requirement, lack of known exploitation, and resistance to automation substantially narrow the route to that endpoint. For users and administrators, the answer is not to debate which label wins—it is to update Chrome for iOS while keeping the vulnerability out of Windows-only incident queues.

Infographic depicts an iOS Chrome use-after-free vulnerability with high theoretical impact but low exploitability.A Low-Rated Chrome Bug With a High-Impact Failure Mode​

The Chrome-authored description is unusually precise about what an attacker must accomplish. The victim must be using Chrome on iOS before 150.0.7871.47, must encounter a crafted HTML page, and must be convinced to perform specific interface gestures before the attacker can potentially trigger heap corruption. This is not described as a passive, no-click compromise, nor does the record say that merely loading a page is enough.
That interaction requirement explains much of Google’s Low classification. A vulnerability can involve memory corruption without being easy to reach reliably in a practical attack: the attacker may need to place the page in a particular state, persuade the victim to manipulate the interface in a specific sequence, and preserve the necessary memory conditions long enough to trigger the stale reference.
The underlying weakness is identified as CWE-416, or Use After Free. In broad terms, that class of error occurs when software releases a memory object but later attempts to use a reference to it as if the object still existed. If the freed area has been reused or its contents have changed, the stale reference can cause a crash, expose unintended data, or corrupt the application’s heap.
The CVE record stops at potential heap corruption. It does not publicly document a complete exploit chain, an observed attack campaign, a sandbox escape, or code execution outside the browser’s security boundaries. Those omissions matter because heap corruption describes a dangerous primitive, not an automatic account takeover or device compromise.
Some downstream vulnerability summaries, including SentinelOne’s database entry, interpret the memory-corruption condition as potentially leading to code execution in the browser process. That is a plausible security concern associated with some use-after-free flaws, but it goes beyond what the Chrome-authored CVE description explicitly promises an attacker can achieve. The distinction is important: defenders should not minimize the flaw, but neither should they silently promote a potential intermediate condition into a demonstrated exploit outcome.

The Severity Dispute Is Really a Difference in Method​

CVE-2026-14099 arrives with three different forms of severity information, and they answer different questions. Chrome supplies the vendor severity of Low; CISA-ADP supplies a CVSS 3.1 base score of 8.8 High; and NVD has not yet supplied its own CVSS 4.0, 3.x, or 2.0 assessment.
Assessment sourcePublished judgmentExploit assumptionsImpact assumptionsPractical interpretation
ChromeLowCrafted page plus specific UI gesturesPotential heap corruptionDifficult or constrained trigger lowers practical severity
CISA-ADP CVSS 3.18.8 HighNetwork-accessible, low complexity, no privileges, user interaction requiredHigh confidentiality, integrity, and availability impactSerious result if exploitation succeeds
CISA SSVCExploitation: none; automatable: noNo exploitation identified and not readily automatedTechnical impact: totalHigh theoretical consequence, limited current operational evidence
NVDNo assessment yetNot independently scoredNot independently scoredDo not describe 8.8 as an NVD score
The CISA-ADP vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. In plain English, CISA’s model treats the attack as network-reachable, low in attack complexity, requiring no prior privileges, and dependent on user interaction; it then assumes a successful exploit could have high effects across confidentiality, integrity, and availability while remaining within the same security scope.
Those inputs naturally produce a high base score. CVSS is designed to quantify the characteristics and possible technical consequences of a vulnerability, not to measure whether criminals are currently exploiting it or whether ordinary users are likely to complete the required gesture sequence. A high score therefore does not contradict the absence of known attacks.
Chrome’s Low label appears to place more weight on reachability and exploit reliability. The vulnerability is not described as a generic drive-by path: it requires an attacker to convince the target to engage in specific user-interface behavior. Google may also have internal information about the affected component, mitigations, controllability of the corrupted memory, or the practical difficulty of turning the bug into a stable exploit, although the restricted Chromium issue prevents the public from verifying those possibilities.
This is why collapsing the story into “Google says Low, CISA says High” is misleading. The two labels can coexist because they are evaluating different layers of risk. CVSS models the consequence of successful exploitation; vendor severity can incorporate practical exploitability and product-specific context.
The most useful bridge between those perspectives is the SSVC data added by CISA. It records exploitation as “none,” automation as “no,” and technical impact as “total.” That combination is almost a one-line threat model: there is no identified exploitation, the attack is not considered readily automatable, but a successful outcome could be severe.

User Gestures Turn a Memory Bug Into a Social-Engineering Problem​

The phrase “specific UI gestures” deserves more attention than it usually receives in vulnerability summaries. It means the crafted page alone is not the entire exploit. The attacker must also shape the victim’s behavior, making the flaw partly a browser-security problem and partly a social-engineering problem.
The public record does not identify the gestures. They could involve taps, swipes, navigation actions, controls, or another interaction sequence, but assigning a particular mechanism would be speculation while the Chromium issue remains permission-restricted. Google commonly limits access to bug details while updates are still propagating or when disclosure might expose reusable attack information.
That secrecy has a practical consequence for defenders. Security teams cannot yet build a precise behavioral rule around the gesture sequence, and users cannot be given a reliable warning such as “never press this control after opening an untrusted page.” The defensible guidance must remain broader: do not follow unusual interaction instructions on pages reached through unsolicited links, messages, advertisements, or redirects.
This requirement also changes the likely economics of abuse. A fully passive browser exploit can potentially be deployed at scale because each page view creates an opportunity. An exploit dependent on a specific sequence of victim actions is harder to automate and more likely to need a convincing lure, carefully designed page content, or a target already willing to follow instructions.
That aligns directly with CISA’s “automatable: no” SSVC judgment. It does not make exploitation impossible, and it does not guarantee that attackers cannot streamline portions of the chain. It says the vulnerability, as assessed, does not lend itself to dependable autonomous exploitation across large numbers of devices.
Targeted attacks remain the more concerning scenario. A crafted page sent to a selected individual can be paired with a believable pretext—account verification, document review, a mobile workflow, or another interaction-heavy task. The user-action barrier that slows mass exploitation may offer much less protection when an attacker knows the target and can tailor the lure.
The absence of identified exploitation should therefore be read as a current intelligence signal, not a permanent safety guarantee. It lowers immediate incident-response urgency compared with an actively exploited zero-day, but it does not justify leaving a vulnerable browser installed after a fixed version is available.

The Version Boundary Is Clearer Than the Database Syntax​

The operational threshold is straightforward: Chrome for iOS versions prior to 150.0.7871.47 are affected. Devices running 150.0.7871.47 or a later release fall outside the vulnerable range described by the CVE and the NIST CPE analysis.
The raw affected-version structure is more confusing. It uses 150.0.7871.47 as the version value, marks the entry affected, and also supplies a custom “less than 150.0.7871.47” condition. Read literally and without understanding the range fields, that structure can look as though the boundary release itself is vulnerable.
The prose description and NIST’s CPE configuration resolve the ambiguity. NIST maps the affected Chrome application range up to, but excluding, 150.0.7871.47 and pairs it with Apple’s iPhone operating-system configuration. In practical vulnerability-management terms, the comparison operator—not the anchor value displayed in isolation—defines exposure.
This matters because asset-management systems do not always parse custom version ranges consistently. A scanner that stores only the base version field may report 150.0.7871.47 as affected, while another may correctly evaluate the less-than condition and treat it as the fixed boundary. Administrators should verify the installed version directly rather than accepting an isolated scanner label as proof.
The reverse failure is also possible. Inventory data may show that Chrome is installed without returning its complete four-part build number, leaving the security platform unable to determine whether it is below the threshold. Those devices should be treated as unverified, not automatically compliant.
For personally owned devices, the practical fix is to install the available Chrome update through the normal iOS application-update channel and then confirm the browser reports 150.0.7871.47 or later. In managed environments, the task is larger: force or accelerate deployment, query the installed application version, and pursue devices that have stopped checking in or cannot establish compliance.

A Desktop Advisory Creates a Mobile Attribution Problem​

The NVD record identifies Chrome as the CVE source and tags Google’s June 30 Stable Channel Update for Desktop as the vendor advisory. That page announces Chrome 150 for Windows, macOS, and Linux, including 150.0.7871.46 on Linux and 150.0.7871.46 or.47 on Windows and Mac, and says the update contains 433 security fixes.
CVE-2026-14099 appears within that enormous desktop release ledger even though its own CVE description and affected CPE configuration are explicitly limited to Chrome on iOS. The page includes numerous platform-specific findings in one security inventory, so its presence there should not be interpreted as evidence that the same vulnerability affects desktop Chrome.
This packaging is efficient for Google but awkward for vulnerability-management systems. A platform-neutral parser may ingest the advisory, see “Google Chrome,” associate it with a familiar desktop version number, and propagate the CVE to Windows or macOS endpoints without enforcing the operating-system constraint.
CERT-FR’s July 2 advisory demonstrates the same cataloging tension. It lists affected desktop Chrome versions for Windows, Linux, and Mac, yet its long CVE reference list includes CVE-2026-14099. CERT-FR is reporting on the broader Chrome security release, not independently stating that every CVE in the list applies to every operating system named at the top of the bulletin.
For Windows administrators, this is not a semantic detail. CVE queues are increasingly fed into patch dashboards, ticketing systems, compliance reports, and executive risk summaries with little human review. A platform-specific mobile flaw can become a false-positive Windows emergency if the data pipeline keys only on the Chrome product name or a shared release family.
The NIST configuration provides the correct applicability test: the vulnerable Chrome application range must be evaluated together with the Apple iPhone operating-system CPE. A Windows machine running Chrome is not within that configuration merely because the browser’s name matches.
That does not make the story irrelevant to WindowsForum readers. Microsoft-focused IT teams frequently manage mixed estates, including corporate iPhones used for Outlook, Teams, identity verification, cloud administration, and privileged web access. The endpoint may be an iPhone, but the exposed identity and data can still belong to a Windows-centered organization.
The correct response is therefore to route the vulnerability to the mobile-device or unified-endpoint-management owner, not dismiss it as “not Windows” and not attach it indiscriminately to every desktop running Chrome. Mature vulnerability management is as much about accurate scoping as it is about aggressive patching.

The Restricted Bug Leaves the Most Important Exploit Details Unknown​

NVD points to a Chromium issue identified as 513382161, but the issue requires permission. The public cannot inspect the vulnerable code path, reproduction steps, crash traces, patch review, reporter discussion, or technical explanation that might show why Chrome assigned the flaw a Low severity.
Google’s desktop release advisory explains that access to bug details may remain restricted until a majority of users have received the fix. Restrictions may also remain when a flaw exists in a third-party library used by other projects that have not yet been corrected. The advisory does not say which reason applies to this particular issue.
That leaves several important questions unanswered. The public record does not establish how repeatable the heap corruption is, whether it produces only a crash in common circumstances, what process or privilege boundary contains the result, or whether additional vulnerabilities would be needed for a broader device compromise.
The CVSS vector’s high impact values should not be mistaken for answers to those questions. They are assessment inputs describing the assumed maximum consequence of successful exploitation. They do not constitute a published proof that an attacker has already achieved those consequences against an updated or representative iPhone.
Similarly, the user-interaction flag does not reveal the difficulty of the gesture sequence. A single convincing tap after opening a page and a complicated sequence requiring precise timing both satisfy the broad category of user interaction, but they produce very different real-world risks.
Until Google opens the issue or publishes a fuller technical analysis, defenders should preserve this uncertainty rather than filling it with dramatic claims. The justified statement is that a remote attacker can potentially exploit heap corruption after persuading a vulnerable Chrome for iOS user to perform particular gestures on crafted HTML. Anything beyond that should be labeled analysis, not presented as a confirmed capability.

The NVD Record Shows Enrichment Still in Motion​

CVE-2026-14099 was marked “Modified After Enrichment,” a warning that the record changed after NVD had already completed an enrichment pass and that some enrichment data may require amendment. That status helps explain why the page combines firm product data with incomplete scoring and a change history that looks untidy.
NVD currently shows no NIST assessment under CVSS 4.0, CVSS 3.x, or CVSS 2.0. The visible 8.8 score belongs to CISA-ADP, not NIST, and reports should preserve that attribution. Calling it “NVD-rated 8.8” would be incorrect even though the score is displayed on the NVD page.
The weakness history is similarly easy to misread. Chrome initially supplied CWE-416, CISA-ADP later added the same weakness identifier, and a subsequent CISA-ADP modification removed a CWE-416 value. The current NVD weakness enumeration still displays CWE-416 Use After Free with Chrome as its source.
The most reasonable reading is that CISA’s duplicate or enriched weakness field changed while Chrome’s source-level classification remained in the record. It should not be interpreted as evidence that the vulnerability stopped being a use-after-free flaw, particularly when the CVE description itself uses that term and NVD continues to display the Chrome-sourced classification.
This record churn is normal enough in machine-to-machine vulnerability publishing, but it can create noisy downstream updates. A security platform may open a finding when the CVE arrives, recalculate its priority when the 8.8 score appears, modify the weakness mapping after NIST enrichment, and then process another event when the CISA-added CWE is removed.
Administrators should distinguish those metadata changes from a change in the fixed version. Nothing in the supplied record changes the remediation threshold: Chrome for iOS before 150.0.7871.47 remains the affected range.

Timeline​

June 30, 2026 — Google publishes the Chrome 150 Stable Channel Update for Desktop, the vendor advisory referenced by the CVE record.
June 30, 2026 — NVD publishes CVE-2026-14099 and records Chrome as the source.
June 30, 2026, 7:17:21 PM — NVD records receipt of the new CVE from Chrome, including the description, CWE-416 classification, references, and affected-version structure.
July 1, 2026, 1:16:28 PM — CISA-ADP adds the CVSS 3.1 vector, the 8.8 High score, CWE-416, and SSVC information.
July 1, 2026, 2:27:24 PM — NIST performs its initial analysis, adding the Chrome and Apple iPhone OS CPE configuration and classifying the two references.
July 1, 2026, 3:16:48 PM — CISA-ADP records another modification that removes a CWE-416 entry, while the NVD page continues to display Chrome’s CWE-416 classification.
July 1, 2026 — NVD records the CVE as last modified.
July 2, 2026 — CERT-FR publishes its advisory covering the broader set of vulnerabilities associated with the Chrome release.

Mobile Browser Inventory Is the Real Administrative Test​

For consumers, installing the update is a small task. For enterprises, discovering every vulnerable instance may be the harder part.
Corporate iPhones may be fully supervised, lightly managed, enrolled only for work applications, or entirely personal under a bring-your-own-device policy. Each management model produces different visibility into the installed Chrome version and different authority to force an update.
An organization may know that Chrome is permitted without knowing whether it is installed. It may know that the application is installed without receiving the full build number. It may receive version data only when the device next checks in, which means an apparently vulnerable record can represent a stale inventory snapshot rather than the browser’s present state.
Administrators should therefore define compliance around evidence. A device is compliant when inventory confirms Chrome for iOS is absent or reports version 150.0.7871.47 or later. A device with an older build is vulnerable, while a device with missing or stale version data is unknown and requires follow-up.
The distinction between vulnerable and unknown is especially important for high-value users. Executives, administrators, developers, finance staff, and support personnel may use mobile browsers to access password-reset pages, cloud consoles, identity portals, and sensitive documents. An unverified browser on one of those devices deserves more attention than a clearly patched browser on a low-risk test handset.
Security teams should also check how their scanners represent the finding. If Windows and macOS assets are being flagged solely because Chrome is present, the detection logic should be corrected rather than creating blanket exceptions for the CVE. A blanket exception could later conceal a legitimate mobile finding in the same platform.
The best rule matches the NIST configuration: application, version, and operating system must all align. That prevents both false positives on desktop systems and false negatives caused by excluding the CVE organization-wide.

Action checklist for admins​

  • Identify managed or enrolled iPhones with Google Chrome installed.
  • Verify that installed Chrome versions are 150.0.7871.47 or later.
  • Accelerate the managed application update where policy and tooling permit.
  • Treat missing, partial, or stale version data as unverified rather than compliant.
  • Prioritize devices used by privileged, executive, finance, development, and support personnel.
  • Confirm that vulnerability scanners require the Apple iPhone OS condition and do not flag Windows Chrome solely by product name.
  • Tell users to avoid unusual tap, swipe, or navigation instructions on pages opened from unsolicited links until their browser is verified as updated.
  • Recheck inventory after deployment and document any devices that remain below the threshold.

Risk-Based Patching Should Not Become Score-Based Theater​

The temptation with CVE-2026-14099 is to choose a side. Teams that trust vendor ratings may call it Low and postpone action; teams driven by CVSS may call it High and trigger an emergency response. Neither approach uses all the evidence.
The sensible priority sits between those extremes. A fixed release exists, the affected range is precise, the weakness involves memory safety, and no compensating control can provide the certainty of replacing the vulnerable build. That argues for prompt updating.
At the same time, CISA records no exploitation and says the attack is not automatable. The victim must interact with a crafted page in a specific way, and the public record does not describe a working exploit chain. Those facts argue against treating every unpatched device as an active breach.
A mature security program separates remediation urgency from incident severity. The browser should be updated quickly because the effort and disruption are low relative to the possible impact. Incident-response escalation should depend on evidence such as a suspicious lure, unusual browser behavior, a relevant crash, or intelligence showing exploitation—not on the 8.8 number alone.
The Chrome-versus-CISA disagreement also exposes a weakness in dashboards that translate one score directly into one service-level agreement. A numerical threshold can help manage thousands of findings, but it cannot understand whether an attack requires a targeted victim, a difficult gesture sequence, a vulnerable mobile platform, or an exploit chain not known to exist.
This CVE is a good candidate for contextual prioritization. Increase priority for vulnerable devices belonging to targeted or privileged users, reduce noise from inapplicable Windows assets, and keep the base remediation simple: update the application.

What Defenders Should Carry Into the Next Chrome Advisory​

CVE-2026-14099 is not merely another entry in an unusually large Chrome security release. It is a compact lesson in how vendor severity, CVSS, SSVC, platform CPEs, restricted bug reports, and automated scanners can describe the same vulnerability without telling the same story.
  • Chrome for iOS before 150.0.7871.47 is the affected product and version range.
  • Chrome labels the flaw Low; CISA-ADP assigns an 8.8 High CVSS 3.1 score.
  • The 8.8 value is not an independent NVD or NIST assessment.
  • CISA records no known exploitation, no automation, and potentially total technical impact.
  • Exploitation requires a crafted HTML page and specific user-interface gestures.
  • Windows Chrome is not included in the NIST affected configuration for this CVE.
The critical operational point is that severity disagreement is not remediation disagreement. Google, CISA, and NIST metadata all lead administrators toward the same version boundary even while they communicate risk differently.
CVE-2026-14099 should be patched without being sensationalized: it is a memory-safety flaw with a potentially serious endpoint, constrained by required victim behavior and no identified exploitation, and confined by the public record to Chrome on iOS. The longer-term challenge is not simply keeping mobile browsers current, but building vulnerability systems capable of preserving platform context, source attribution, and uncertainty—because the next sprawling Chrome advisory will generate the same kind of metadata collision, and organizations that cannot separate a real mobile exposure from a Windows false positive will waste time in both directions.

References​

  1. Primary source: NVD / Chromium
    Published: 2026-07-11T15:40:43-07:00
  2. Security advisory: MSRC
    Published: 2026-07-11T15:40:43-07:00
    Original feed URL
  3. Related coverage: cvepremium.circl.lu
  4. Related coverage: piunikaweb.com
  5. Related coverage: vuldb.com
  6. Related coverage: issues.chromium.org
  1. Related coverage: cvefeed.io
  2. Official source: support.google.com
 

Back
Top