Google shipped a fix for a medium-severity information disclosure vulnerability in Chrome 150 on June 30, 2026, closing a hole that could let attackers steal sensitive data using nothing more than a crafted video file. The flaw, tracked as CVE-2026-13858, sits in the browser’s FFmpeg media processing pipeline and affects the stable desktop channel for Windows, Mac, and Linux.

The patch rolls out globally this week as part of Chrome’s regular update cycle. If you leave your browser open for extended periods, you’ll want to restart it immediately to ensure the update is applied.

What Actually Got Fixed

CVE-2026-13858 is an out-of-bounds read in the way Chrome’s FFmpeg component handles video files. FFmpeg is the open-source multimedia framework Chrome relies on to decode and demux virtually every video and audio format users encounter on the web—from MP4 to WebM to AV1. When Chrome processes a video stream, FFmpeg parses the container format, extracts the elementary streams, and hands them off to the appropriate decoders.

In certain edge cases, a malformed video file could trick FFmpeg into reading memory beyond the intended buffer boundaries. Out-of-bounds reads don’t allow direct code execution, but they can expose heap memory contents that may contain sensitive data: URLs, cookies, session tokens, or even parts of other web pages loaded in the browser process. A remote attacker could host a malicious video on a website and, if a user visits the page with Chrome, the vulnerability could leak data from the browser’s memory without any user interaction beyond loading the page.

Google’s advisory classifies the bug as medium severity, consistent with other information disclosure bugs that lack an escalation path to remote code execution. The company says it is not aware of any active exploitation in the wild as of the patch release, but the public disclosure of the CVE means exploit attempts are likely to follow within days. The vulnerability was reported by an external security researcher, whose identity Google withholds as a matter of policy until the fix has been widely deployed.

What This Means for You

The practical risk splits along two lines: the average Windows user watching videos online, and IT administrators managing fleets of endpoints.

For home users and everyday Windows users: The attack surface is real but not something you need to lose sleep over. To exploit CVE-2026-13858, an attacker needs to lure you to a page hosting a specially crafted video file. That could be a phishing link, a malicious advertisement on an otherwise legitimate site, or a compromised video-sharing platform. Because the bug doesn’t require you to download a file or click “play”—merely loading the page that embeds the video can trigger the out-of-bounds read—it qualifies as a silent, drive-by attack.

What could an attacker actually steal? In the best-case scenario, random heap data that is of no value. In the worst-case scenario, memory contents that contain private information from your current browsing session. Since Chrome’s process model isolates sites, the leaked data would typically be limited to the memory space of the renderer process that loaded the malicious page, not the entire system. However, if that process happens to hold cross-origin data due to a separate bug or misconfiguration, the impact could be broader.

The bottom line: install the update. The bug is now public, and while it’s not a “drop everything” emergency, running an unpatched browser for weeks would be careless.

For IT administrators and enterprise Windows environments: This is the kind of vulnerability that belongs in your standard patch cycle, but with a slightly elevated priority. Because the attack requires no user interaction, it’s a candidate for drive-by attacks via compromised ad networks or watering-hole attacks. If your users visit a wide range of sites, the risk is higher. Combine this with the fact that Chrome’s auto-update mechanism can be delayed by user inaction (the browser needs a restart to apply the fix), and you may have many endpoints running vulnerable versions days after the patch.

Your checklist:
- Verify that Chrome 150.0.5898.0 (stable) or later is deployed across your fleet. The exact build number for Windows will be listed in the Chrome Releases blog; check your endpoint management tool.
- If your organization uses Group Policy or MDM to control Chrome updates, force an immediate update check and a relaunch prompt.
- Remind users to restart Chrome if they see the “Update available” notification.
- Review your web filtering and ad-blocking policies. While not a silver bullet, blocking known malicious domains and restricting video autoplay on untrusted sites can shrink the attack surface temporarily.

For developers and power users who compile Chromium or embed FFmpeg: This CVE sits in a third-party component that many applications beyond Chrome use. FFmpeg is ubiquitous in media players, streaming software, and video editing tools. If you maintain a project that bundles FFmpeg, check your dependency version against the patch that upstream FFmpeg has released (if the fix originated there). Google often applies targeted patches to its own fork of FFmpeg before upstream releases, so you’ll need to monitor Chrome’s code review for the exact commit. As of this writing, the upstream FFmpeg project has not yet issued an advisory correlating to this CVE, but that could change.

How We Got Here

Chrome’s relationship with FFmpeg goes back over a decade. In the early days, Chrome relied on system codecs for video playback, which was a nightmare of platform inconsistencies. Google eventually shipped its own copy of FFmpeg inside the browser, giving it control over the build configuration, security hardening, and the ability to apply patches quickly. That approach has paid off: dozens of FFmpeg vulnerabilities have been caught and fixed before they ever reached stable users. But it also means that every flaw in FFmpeg’s sprawling codebase becomes a potential Chrome zero-day.

CVE-2026-13858 is the third FFmpeg-related out-of-bounds read patched in Chrome in 2026. The previous two, CVE-2026-10123 and CVE-2026-11742, both fixed in April, were also rated medium severity. This pattern suggests that security researchers have been focusing on fuzzing the FFmpeg integration, and Google has been responding quickly—an encouraging sign for the browser’s defense-in-depth, but a reminder that video processing remains a treacherous corner of the attack surface.

Chrome 150 itself arrived in late June 2026, bringing a handful of new features for Windows users including improved dark mode theming, a redesigned download tray, and smoother WebGPU performance. The security patch was rolled into this release, indicating that the fix was developed in time to be included without an out-of-band emergency update.

From a Windows perspective, the vulnerability is platform-agnostic. FFmpeg runs the same on all operating systems, and the bug lies in the parsing logic rather than in any OS-specific code. Windows users get no extra risk—nor any special protection—compared to Mac or Linux counterparts. However, because Windows remains the most attacked desktop platform overall, the practical threat level is marginally higher simply due to the larger number of targeted attacks.

What to Do Now

Update Chrome. This is the single action that eliminates the vulnerability. Chrome typically downloads updates in the background and prompts you to relaunch the browser. To trigger it manually:
1. Open Chrome’s menu (three dots in the upper right corner).
2. Go to Help > About Google Chrome.
3. Chrome will check for updates. If an update is available, it will download and install automatically.
4. Click “Relaunch” to finish the update.

After relaunching, verify the version by going to Help > About Google Chrome again. You should see version 150.0.5898.0 or higher. The exact build string may include a trailing number specific to the platform; for Windows, it will likely be something like 150.0.5898.0 (Official Build) (64-bit).

If you can’t update immediately: Reduce your exposure by disabling automatic video playback. Google Chrome allows you to control autoplay behavior in site settings, but there is no single global toggle. You can block autoplay on a per-site basis. A more comprehensive approach: install a content blocker like uBlock Origin and configure it to block media elements on unknown sites—though this may break legitimate video embeds.

For enterprise administrators: Microsoft’s Endpoint Manager, Group Policy, or your preferred patching tool should push the latest Chrome MSI. Google publishes enterprise update notes for each stable release; check the Chrome Enterprise release notes for version 150 to confirm the exact MSI parameters and any known issues. If you use the Chrome browser cloud management, you can view the version distribution across your fleet from the Admin console.

Stay informed. Bookmark the Chrome Releases blog (https://chromereleases.googleblog.com) and the Chrome Security page (https://www.google.com/chrome/privacy/security.html) for official updates. CVE details are published in the National Vulnerability Database within a few days, so you can also monitor NIST’s NVD for the full technical write-up.

What’s Next

Google will not disclose the full technical details of CVE-2026-13858 until the update has saturated the install base—a window that typically lasts two to four weeks. After that, expect a detailed bug report on Chromium’s bug tracker and possibly a security conference talk or blog post from the researcher who discovered it. Those technical details may inspire copycat exploit attempts, but by then the patch will have been widely deployed, reducing the risk to negligent stragglers.

For Windows users, the bigger picture is this: Chrome’s security team continues to squash media-related vulnerabilities at a steady clip. As the browser evolves to support more advanced video codecs and integrates AI-driven video enhancement features, the FFmpeg component will remain a juicy target for attackers. Each successful patch is a win, but it also reminds us that the complexity of modern web video parsing is inherently dangerous. Keeping your browser updated remains the single most effective defense.