Google shipped Chrome 150.0.7871.47 on June 30, 2026, plugging a critical security hole in the browser’s WebRTC component that leaves Windows and other platforms open to remote takeover. The flaw, catalogued as CVE-2026-14078, is triggered by simply visiting a malicious web page—no clicks required—and can lead to full system compromise.
A Patch That Can’t Wait
The update from Google resolves a single, high-impact bug: an input validation error inside WebRTC, the open-source framework that handles real-time voice, video, and data sharing directly between browsers. Attackers can craft a specially formatted WebRTC stream that overwrites memory, breaking out of the browser’s sandbox and escalating privileges to run arbitrary code on the victim’s machine. In plain terms, a well-resourced adversary can turn a visit to an innocent-looking website into a complete PC hijack.
The vulnerability was first disclosed by the Chrome security team on June 30, but its reach became clearer when the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Vulnerability Database (NVD) added their own assessments later the same week. CISA’s alert confirms the bug is remotely triggerable over a network with low attack complexity, making it a prime candidate for automated exploitation kits. While no in-the-wild attacks have been confirmed at the time of writing, the short window between patch and abuse in similar cases suggests time is running out for unpatched browsers.
Who Is Affected
Every Chrome installation earlier than 150.0.7871.47 is vulnerable. That includes Chrome on Windows, macOS, Linux, and by extension Android, where the WebRTC stack is shared. However, the risk is highest on desktops where the browser often runs with fewer containment guardrails. Other Chromium-based browsers—Microsoft Edge, Brave, Opera, Vivaldi, and a dozen more—may also be exposed if they haven’t yet merged the upstream fix. Historically, Edge and Brave adopt Chrome security patches within a day or two, but the lag varies.
Home users who rely on automatic updates are likely protected already, assuming they restart their browser. Power users and IT administrators managing fleets through Group Policy or enterprise deployment tools need to act manually. The version number to aim for is 150.0.7871.47 or higher.
How We Got Here: WebRTC’s Recurring Headaches
WebRTC has been both a blessing and a curse since it landed in Chrome back in 2013. Real-time communication directly in the browser, without plugins, revolutionized video conferencing, file sharing, and peer-to-peer apps. But that power comes at a cost: the protocols are complex, the attack surface is huge, and vulnerabilities—especially memory corruption bugs—keep popping up.
CVE-2026-14078 is the fourth WebRTC-related critical CVE in the past eighteen months. Google’s engineers normally keep a lid on the technical details for a few weeks after a fix to give users time to patch, a practice that has worked well. This time, the rapid enrichment by CISA and NVD hints at an underlying severity that warrants immediate attention from every organization. The flaw’s low attack complexity and the fact that it needs zero user interaction to succeed put it in the same league as remote code execution bugs that have been widely exploited in the past.
What to Do Right Now
For Individual Users
- Check your version: Click the three-dot menu → Help → About Google Chrome. The page will show your current version and automatically start downloading the update if one is available.
- Restart Chrome: After the update downloads, you must restart the browser to apply it. If you haven’t closed Chrome in a while, look for the “Relaunch” button on the About page.
- Verify after restart: Go back to About Google Chrome to confirm you’re on version 150.0.7871.47 or newer. The build number appears after the dash; you want exactly this build or later.
- Turn on automatic updates if off: Some users disable auto-updates to avoid surprise UI changes. That’s a bad idea for security. Re-enable them through the same About page or via system settings.
For IT Administrators
- Deploy via Group Policy: Download the MSI installer for Chrome Enterprise from Google’s website and push it to all managed Windows endpoints. The enterprise MSI for 150.0.7871.47 should be available immediately.
- Check Chromium-based browsers in your fleet: Run a version audit for Microsoft Edge, Brave, Opera, or any other Chromium derivatives your users have installed. Edge generally follows Chrome’s versioning closely—Edge 150.0.7871.47 will likely appear in the Stable channel within days.
- Block unpatched browsers at the firewall (temporary measure): If a full rollout will take longer than 48 hours, consider a network policy that blocks access from browser user-agent strings older than version 150 until patched. This is drastic but effective for critical vulnerabilities.
- Monitor CISA’s Known Exploited Vulnerabilities catalog: If CVE-2026-14078 is added, federal agencies and contractors will have a mandated patch deadline. Even if you’re not a government entity, the catalog is your best early-warning system for bugs that are being actively weaponized.
For the Paranoid
If you cannot update immediately—say you’re on a locked-down machine—you can disable WebRTC entirely, but it will break any site that uses video chat, screen sharing, or peer-to-peer data. To do this, type chrome://flags/#webrtc in the address bar, find the WebRTC flag, and set it to “Disabled.” Better yet, install a trusted extension like “WebRTC Control” that lets you toggle it on and off. Remember to re-enable WebRTC once you’ve updated.
The Bigger Picture
Google’s fast turnaround on a single-issue release suggests the company views this flaw as exceptionally dangerous. The fact that CISA jumped in so quickly reinforces that message. For everyday users, this is one of those patches you don’t want to sleep on. For organizations, it’s a reminder that the web platform’s real-time capabilities are a double-edged sword.
Expect detailed technical write-ups from security researchers in the coming weeks once Google lifts the details embargo. In the meantime, the best defense is the simplest: update and restart. As WebRTC usage continues to grow—fuelled by remote work and metaverse experiments—the pressure to secure its sprawling codebase will only intensify. Browser makers and large enterprises are already looking at architectural changes that could sandbox WebRTC more aggressively, akin to how PDF renderers and GPU processes are isolated today. Until those arrive, patches like this one will remain a regular, urgent part of the security landscape.