CVE-2026-14424: Update Chrome for Mac to 150.0.7871.46

Security alert
Affected:
Google Chrome on macOS earlier than 150.0.7871.46
Required version:
150.0.7871.46 or later
Vulnerability:
CVE-2026-14424, a use-after-free flaw in Dawn
Potential result: A remote attacker could potentially escape the browser sandbox through a crafted HTML page
User interaction: Required
Exploitation status: CISA-ADP records none
Windows and Microsoft Edge:
Not identified as affected in the supplied vulnerability record
Mac users should update Chrome, relaunch it, and verify the complete version number. Windows administrators should avoid expanding this CVE to Chrome on Windows, Microsoft Edge, or every Chromium-based browser without separate product-specific evidence.
Google Chrome on Mac before version 150.0.7871.46 is affected by CVE-2026-14424, a High-severity use-after-free vulnerability in Dawn. The public description says a remote attacker could potentially perform a sandbox escape by convincing a user to interact with a crafted HTML page.
The record does not identify active exploitation. CISA-ADP’s Stakeholder-Specific Vulnerability Categorization assessment lists exploitation as “none” and automatable as “no,” while recording the technical impact as “total.” Those values support prompt remediation without presenting the vulnerability as an active campaign or a self-propagating emergency.
The practical security boundary is clear: Chrome 150.0.7871.46 and later are outside the stated affected range.

Laptop displays a browser version warning beside a glowing sandbox shield and a “Dawn” use-after-free vulnerability alert.The Public Record Supports a Narrow but Serious Warning​

CVE-2026-14424 is classified as CWE-416, Use After Free. This weakness category describes software accessing memory after the associated object or allocation has been released.
The consequences of a use-after-free vulnerability depend on the affected code and the conditions under which it can be reached. The supplied record does not provide a complete trigger sequence or guarantee that exploitation will succeed. It does, however, identify the possible outcome as a sandbox escape, which is sufficient reason to treat the update as a priority.
A browser sandbox is intended to restrict what untrusted web content can reach. Describing a flaw as a potential sandbox escape means the possible effect extends across a security boundary rather than being limited to an ordinary page error or rendering failure.
The published description includes important constraints:
  • The affected product is Google Chrome.
  • The affected platform is macOS.
  • The affected versions are those earlier than 150.0.7871.46.
  • The flaw is identified as a use-after-free vulnerability in Dawn.
  • A remote attacker would use crafted HTML.
  • User interaction is required.
  • The potential result is a browser sandbox escape.
  • The supplied SSVC assessment records no exploitation.
Those facts should not be expanded into an undocumented exploit narrative. The record does not identify a particular malicious site, advertisement, message, user gesture, graphics workload, or delivery campaign. It also does not provide public indicators of compromise.
The linked Chromium issue requires permission. That establishes only that the issue is not publicly accessible through the supplied link. It does not establish why access is restricted, when the issue may become public, or what technical material the private report contains.
Similarly, the component name does not establish the detailed cause of the vulnerability. The public record says the flaw is “in Dawn,” but it does not provide enough information to attribute the Mac-specific exposure to Metal, an Apple graphics driver, a compiler, a native backend, or any other integration path. Those explanations would require separate technical evidence.
The supported conclusion is narrower: a vulnerable condition in Dawn affects Google Chrome on Mac before version 150.0.7871.46.

“High” and 9.6 Critical Are Separate Assessments​

The record contains two severity presentations that may appear contradictory at first glance.
Chromium classifies CVE-2026-14424 as High, while CISA-ADP contributes a 9.6 Critical CVSS 3.1 score. The 9.6 score appears on the National Vulnerability Database page, but it is not an NVD-authored or NIST-authored assessment.
That provenance matters. Vulnerability reports, scanner tickets, and internal dashboards should not label the value simply as “NVD 9.6” because doing so obscures who produced the score.
Assessment sourceRating or statusWhat it establishes
ChromiumHighGoogle’s vendor security-severity classification
CISA-ADP CVSS 3.19.6 CriticalA contributed standardized severity assessment
CISA-ADP SSVCExploitation: none; automatable: no; technical impact: totalPoint-in-time decision-support values
NVD/NIST CVSSNo separate score in the supplied recordThe displayed 9.6 should not be presented as an NVD-authored score
The CISA-ADP vector is:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
In CVSS terms, this records:
  • A network attack vector
  • Low attack complexity
  • No privileges required
  • Required user interaction
  • Changed scope
  • High potential confidentiality impact
  • High potential integrity impact
  • High potential availability impact
These are scoring selections, not a public technical reproduction of the vulnerability. “Low attack complexity,” for example, should not be converted into claims that exploitation is reliable on every Mac, that exploit development is easy, or that no additional conditions apply.
The changed-scope and high-impact selections help explain the 9.6 score. Required user interaction is also part of the vector and should remain visible in user-facing reporting.
Chromium’s High classification and CISA-ADP’s 9.6 Critical score do not need to be collapsed into a single label. They come from different assessment processes. For operational purposes, both point toward the same action: update affected Macs promptly and verify that the full installed version meets the fixed boundary.

Read the SSVC Values Without Adding an Attack Story​

CISA-ADP’s SSVC contribution supplies useful context, but each field should be repeated narrowly.
SSVC fieldRecorded valueAppropriate interpretation
ExploitationNoneThe assessment does not record exploitation
AutomatableNoThe assessment does not classify the exploitation process as automatable
Technical impactTotalThe assessment assigns the highest listed technical-impact value
“Exploitation: none” does not mean exploitation is impossible or that the browser can remain unpatched. It is a point-in-time assessment in the supplied record.
It also does not justify saying that no proof of concept exists, that no researcher has reproduced the flaw, or that no attacker has ever investigated it. Those broader claims are not established by the SSVC field.
“Automatable: no” should not be expanded into assumptions about targeted attacks, timing requirements, environmental checks, exploit chains, or the scale at which an attacker could operate. The record provides the value but not a detailed explanation for the decision.
“Technical impact: total” supports treating the possible outcome seriously. It should not be used to invent consequences beyond those described in the vulnerability record.
The disciplined security message is therefore straightforward: the possible technical impact is severe, but the supplied assessment records no exploitation and does not classify the process as automatable. Patch promptly without declaring an unsupported active attack.

Version 150.0.7871.46 Is the Decisive Boundary​

The affected-version range is the clearest remediation information in the record.
Chrome version on macOSCVE-2026-14424 status
Earlier than 150.0.7871.46Within the documented affected range
150.0.7871.46Outside the documented affected range
Later than 150.0.7871.46Outside the documented affected range
The complete version matters. A report that says only “Chrome 150” does not establish that the Mac has crossed the fixed boundary.
Administrators should compare all four version components and treat missing, abbreviated, or stale inventory as unresolved. If a management system cannot report the complete version, a local verification should be performed before the remediation ticket is closed.
No workaround in the supplied record is presented as equivalent to updating. In particular, the available evidence does not establish that disabling hardware acceleration, changing graphics settings, blocking an individual web feature, or avoiding a particular class of site removes the vulnerable condition.
The supported remediation is to run Google Chrome 150.0.7871.46 or later on macOS.

What to do now​

Google’s Chrome Help procedure provides a direct way for a user to reach the browser’s version information and complete an available update:
  1. Open Google Chrome on the Mac.
  2. Select the Chrome menu marked by three vertical dots.
  3. Select Help.
  4. Select About Google Chrome.
  5. Complete the available update if Chrome presents one.
  6. Select Relaunch when prompted.
  7. Return to Chrome menu > Help > About Google Chrome.
  8. Confirm that the complete displayed version is 150.0.7871.46 or later.
Users can also open chrome://settings/help directly in Chrome to reach the same version-information page.
Do not stop after confirming only that the browser says “Chrome 150.” The required verification result is the complete version number, beginning with 150.0.7871.46, or a numerically later supported release.
If the browser is managed by an employer or other organization and cannot be updated, the user should contact the responsible administrator rather than attempting to bypass management controls.

Verified Record Timeline​

The supplied NVD change history supports the following limited timeline. The unsupported June 24 and June 30 release entries have been removed.
  • July 1, 2026, 7:16:50 PM: Chrome submits the CVE information, including the description, CWE-416 classification, references, and affected-version boundary.
  • July 1, 2026, 8:16:43 PM: CISA-ADP adds the CVSS 3.1 assessment and SSVC values.
  • July 2, 2026, 12:18:40 PM: NIST adds its initial affected-product analysis, associating the vulnerable Chrome range with macOS.
  • July 3, 2026, 12:17:50 AM: CISA-ADP modifies the SSVC timestamp formatting without changing the listed exploitation, automation, or technical-impact selections.
In date-level terms, the NVD record was published on July 1, 2026, NIST’s initial analysis followed on July 2, 2026, and the record was last modified on July 3, 2026.
This sequence also explains why the NVD page contains material from several contributors. Chrome supplies the vulnerability description and vendor severity. CISA-ADP supplies the 9.6 CVSS assessment and SSVC values. NIST supplies affected-product analysis. The page collects those contributions, but their appearance on one page does not make every field an NVD-authored assessment.

Admin Checklist: Patch the Macs, Not the Entire Chromium Fleet​

For Windows-focused organizations, the main operational risk is inaccurate scope.
Many primarily Windows environments also contain executive Macs, development systems, contractor devices, design workstations, laboratory computers, or other macOS endpoints handled through separate inventory and support processes. Those are the systems relevant to this CVE if they run an affected Chrome version.
Administrators should translate the following procedure into their existing, approved endpoint-management workflow. The supplied vulnerability record does not prescribe a particular management product, policy, deployment command, configuration profile, or update schedule.

Identification​

  • Inventory Google Chrome specifically on macOS.
  • Collect the complete four-part Chrome version.
  • Flag every Mac reporting a version earlier than 150.0.7871.46.
  • Treat missing, stale, or incomplete version data as unresolved.
  • Preserve the initial affected-device list as the remediation baseline.

Deployment​

  • Deploy an approved, currently supported Chrome version that is 150.0.7871.46 or later.
  • Use the organization’s documented software-deployment process.
  • Communicate a clear deadline for completing the update and relaunch.
  • Follow up separately on systems that cannot receive the approved release.

Verification​

  • Repeat the original inventory query after deployment.
  • Investigate every Mac that remains below 150.0.7871.46.
  • Verify the complete version locally on a representative sample through Chrome menu > Help > About Google Chrome.
  • Keep devices with unknown status open in the remediation ticket.
  • Close the ticket only when no unexplained in-scope Mac remains below the threshold.

Reporting​

  • Record Chromium’s severity as High.
  • Record the contributed CISA-ADP CVSS 3.1 score as 9.6 Critical.
  • Do not label 9.6 as an NVD-authored score.
  • Record the supplied SSVC exploitation status as none.
  • Do not translate that status into a claim that exploitation can never occur.
  • Keep unsupported architectural explanations and attack scenarios out of executive summaries.
A deployment job marked “successful” is not necessarily the same as verified remediation. The acceptance criterion should be based on the resulting browser version: no unexplained managed Mac should remain below 150.0.7871.46.

Windows and Edge Are Not Identified as Affected​

The supplied record identifies Google Chrome on macOS. It does not identify Google Chrome on Windows as affected by CVE-2026-14424.
That distinction should be preserved in vulnerability scans and remediation tickets. A Windows computer should not be counted as exposed to this specific CVE merely because it runs a Chrome version earlier than 150.0.7871.46.
The record also does not identify Microsoft Edge as affected. The fact that Edge is Chromium-based is not enough to apply a Google Chrome CVE and its Chrome version boundary directly to Edge.
The same caution applies to other Chromium-derived browsers. Shared technology does not, by itself, establish that a particular product, platform, version, or configuration is vulnerable. Product-specific evidence from the relevant vendor is needed before extending the scope.
For this incident, the appropriate affected-asset query is:
Find Google Chrome installations on macOS with a complete version lower than 150.0.7871.46.
It is not:
Find every browser based on Chromium.
This precision prevents two operational failures at once. It avoids false-positive remediation work on Windows and Edge, and it keeps attention on Macs that might otherwise be overlooked inside a Windows-centered management program.
Windows administrators who also manage Macs should make sure that macOS inventory is not isolated in a separate console, business unit, or support workflow with weaker visibility. The WindowsForum-specific lesson is not that Windows needs an emergency fix for this CVE. It is that mixed-platform organizations must express the affected conditions accurately enough to find the right machines.

CVSS Helps Prioritize, but Version Evidence Closes the Ticket​

A 9.6 CVSS score communicates severe modeled technical impact. It does not report how many devices are exposed, confirm that exploitation is occurring, or prove that an attacker can exploit every vulnerable installation reliably.
Chromium’s High rating should not be used to erase the CISA-ADP assessment. Conversely, the CISA-ADP score should not be mislabeled as Google’s rating or as an independent NVD score.
A credible internal summary should preserve all three forms of information:
  1. Vendor assessment: Chromium rates the vulnerability High.
  2. Contributed standardized score: CISA-ADP assigns CVSS 3.1 9.6 Critical.
  3. Current exploitation context: CISA-ADP’s SSVC entry records exploitation as none.
Local exposure then determines the workload. An organization with no Chrome installations on Mac has no identified affected assets under the supplied record. An organization with hundreds of Macs below the fixed version has a clear remediation task, even though active exploitation is not recorded.
The most useful result is not a debate over whether “High” or “Critical” is the better headline. It is evidence that every in-scope Mac has moved beyond the vulnerable version range.

The Fixed Version Is the Only Safe Line to Draw​

CVE-2026-14424 has a concise public record: it is a High-severity use-after-free flaw in Dawn affecting Google Chrome on Mac before 150.0.7871.46. A remote attacker could potentially use crafted HTML and required user interaction to perform a sandbox escape. CISA-ADP contributes a 9.6 Critical CVSS score, but that score is not authored by NVD, and its SSVC assessment records no exploitation.
The response should be equally concise: update Chrome on affected Macs, relaunch it, and verify version 150.0.7871.46 or later.
Windows Chrome installations and Microsoft Edge are not identified as affected in the supplied record and should not be added to this CVE’s remediation scope without separate vendor evidence. That is not a reason for Windows-focused administrators to ignore the issue; it is a reason to apply it accurately.
The public picture could change if the affected-product record, exploitation status, or vendor guidance is revised. Administrators should continue monitoring authoritative vulnerability and product information. Until such a change occurs, the defensible operational line remains exact: Google Chrome on macOS below 150.0.7871.46 requires remediation; 150.0.7871.46 or later meets the documented version boundary.

References​

  1. Primary source: NVD / Chromium
    Published: 2026-07-11T15:39:57-07:00
  2. Security advisory: MSRC
    Published: 2026-07-11T15:39:57-07:00
    Original feed URL
  3. Related coverage: chromium.org
  4. Related coverage: dawn.googlesource.com
 

Back
Top