Google shipped an emergency update to Chrome’s stable desktop channel on June 30, 2026, patching a vulnerability in the browser’s extensions system that could allow attackers to steal sensitive cross-origin data after an initial foothold. The fix, tagged CVE-2026-14053, is rolling out worldwide in version 150.0.7871.47 for Windows, Mac, and Linux.

Though Google rates the flaw as low severity, the nature of the bug—leaking data between websites—makes it a stealthy privacy risk for anyone who runs browser extensions. The company confirmed that an attacker would first need to compromise an extension or lure a user into installing a malicious one, but the exploit path is far from theoretical in today’s extension ecosystem.

What Actually Changed in Chrome 150.0.7871.47

The patch addresses a single vulnerability in Chromium’s Extensions API. According to Google’s advisory, CVE-2026-14053 is a “cross-origin data leakage” flaw that resides in how extensions handle requests between different websites. If exploited, a compromised extension could access and exfiltrate information from sites a user visits—login credentials, financial data, or private messages—without any visual sign.

Google’s official severity classification is “low,” but that rating hinges on the attack chain: the bad actor must first gain control over an extension, either by publishing a weaponized add-on that passes Chrome Web Store review or by exploiting another bug to hijack an existing one. From there, the data seepage occurs silently. The low label can mislead users because the potential damage from a successful chain could be high, depending on which data is exposed.

This release is a focused security patch; it contains no new features, performance tweaks, or UI changes. The full build number on Windows is 150.0.7871.47 (Official Build) (64-bit). Google says the update will roll out progressively over the coming days, but users can force-install immediately through Chrome’s Help menu.

What It Means for You

Home Users

If you use Chrome as your daily driver, the risk is real but manageable. The most likely scenario is a rogue extension slipping into the Chrome Web Store under the guise of a productivity tool, coupon finder, or game. Even with automated review systems, malicious extensions occasionally bypass Google’s checks—sometimes for months.

Because the vulnerability involves cross-origin leaks, a single compromised extension could read data from your banking site, webmail, or social media if you’re logged in simultaneously. That’s the nightmare scenario. However, it requires the extension to actively exploit the bug, which means the attacker must have already breached your browser via the extension. For careful users who install only well-known, widely reviewed extensions with minimal permissions, the threat is low. But if you keep dozens of extensions—many no longer maintained—the risk compounds.

IT Administrators and Enterprise Environments

For organizations managing Chrome via group policies or enterprise deployment tools, this patch should be pushed out as soon as possible. Even a low-severity flaw can disrupt defense-in-depth when extensions are part of the approved software catalog. Enterprises often allow internal extensions or those from trusted vendors; a supply-chain attack on one of those could weaponize CVE-2026-14053 against entire fleets.

Admins should audit extension allowlists immediately. Remove any unverified or rarely used extensions, and enforce the least-privilege principles for those that remain. Chrome Enterprise policies like ExtensionInstallForcelist and BlockExternalExtensions can help restrict what runs in managed browsers until the patch is verified across all endpoints.

Developers and Extension Authors

If you maintain an extension, check whether it interacts with cross-origin requests. The flaw may have allowed a malicious actor to misuse your extension’s capabilities if they found a way to inject code. Google hasn’t released detailed technical specifics—likely to prevent active exploitation—but developers should review their extensions’ content security policies and ensure they don’t inadvertently pass sensitive data across origins. Consider updating your extension’s manifest to enforce stricter cross-origin isolation.

How We Got Here

Extension-based threats are nothing new. Chrome’s powerful extensions API has been a double-edged sword for years: it enables everything from password managers to ad blockers, but every permission an extension gains is a potential leak vector. The Chromium team has clamped down over successive versions, introducing Manifest V3 and more granular permission scopes, yet vulnerabilities still surface.

This isn’t the first cross-origin weakness in extensions:
- In 2024, Chrome 124 fixed a similar high-severity universal cross-site scripting (UXSS) bug (CVE-2024-1939) in the V8 engine, which could have been triggered by crafted extensions.
- Later that year, a critical sandbox escape (CVE-2024-5831) allowed compromised renderers to break out of isolation, potentially elevating extension-based attacks to system level.
- Early 2025 brought a spate of logic flaws in extension permissions checks, leading to three separate CVEs, all rated medium or high.

CVE-2026-14053 arrives amid a broader push by Google to automate vulnerability detection in the extensions platform. The company’s Project Zero and fuzzing teams have focused on the Blink and Extensions subsystems, and this bug likely emerged from that internal effort or an external researcher’s report under the bug bounty program. Google withheld technical details for now, saying only that they will be published “once a majority of users are up to date with the fix,” a standard practice that confirms the flaw is exploitable in the wild.

What to Do Now

1. Update Chrome Immediately

  • Open Chrome, click the three-dot menu > Help > About Google Chrome.
  • Chrome will check for updates and automatically download version 150.0.7871.47.
  • Click Relaunch to complete the installation.
  • If you don’t see the update yet, wait a few hours or force-check by restarting Chrome. The rollout is gradual but can be accelerated by the manual check.

2. Verify the Patch

  • After relaunch, go back to About Google Chrome and confirm the version number reads 150.0.7871.47 (or later, if a newer patch is installed).
  • On Windows, you can also open the “chrome://version” URL in the address bar and verify the “Google Chrome” field.

3. Lock Down Your Extensions

  • Navigate to chrome://extensions/.
  • Review every installed extension. If you don’t recognize it, remove it immediately.
  • For extensions you keep, click Details and scrutinize the permissions. Turn on “Site access” to “On specific sites” instead of “On all sites” wherever possible.
  • Disable or remove extensions that are no longer updated—these are prime targets for hijack.
  • Turn on Enhanced Safe Browsing (Settings > Privacy and security > Security) for additional real-time protection against malicious extensions and websites.

4. For Enterprises

  • Download the latest MSI/ADMX from the Chrome Enterprise download page.
  • Test the update on a pilot group first, then push via SCCM, GPO, or your management tool.
  • Use the policy ExtensionSettings to block all extensions not explicitly allowed until the patch is confirmed across the fleet.
  • Monitor Chrome’s security release blog for any updates on exploitation activity.

Outlook

Google hasn’t disclosed whether CVE-2026-14053 is under active exploitation, but the timing—mid-year, outside the usual patch Tuesday rhythm—hints at urgency. The low severity rating might downplay the risk, but in an era where browser extensions are both essential and often ignored after installation, any data-leak path deserves immediate attention.

Expect Google to publish full technical details within a few weeks, once the update reaches critical mass. In the meantime, Chrome users should treat extensions with the same scrutiny as installed apps: less is more, and updated is always safer. The next Canary builds will likely include additional mitigations for cross-origin data handling in extensions, so keep an eye on the Chromium blog for hardening measures in the pipeline.