Google pushed out a Chrome 150 stable channel update on June 30, 2026, closing a high-severity security hole tracked as CVE-2026-13793. The flaw, rooted in the browser’s SVG rendering engine, could allow a remote attacker to bypass same-origin policies and exfiltrate sensitive data from cross-origin sites. Anyone running Chrome prior to version 150.0.7871.47 on Windows, macOS, or Linux is vulnerable and should update immediately.
The vulnerability, decoded
CVE-2026-13793 is a policy-enforcement flaw in Chromium’s SVG (Scalable Vector Graphics) compositor. SVG files can contain references to external resources, embedded scripts, and even HTML via the foreignObject element—all of which should be sandboxed to prevent cross-origin snooping. In vulnerable builds, a specially crafted SVG image, when opened in a browser tab, could circumvent the same-origin policy and read sensitive information from another website that the user had open or was authenticated to.
In practical terms, an attacker hosting a malicious page could embed an SVG payload that silently reads your email, scrapes social media tokens, or steals session cookies from a separate banking site. Because the attack requires no user interaction beyond visiting a booby-trapped webpage, Google classified it as a high-risk remote attack vector. While Google has not released a CVSS score as of publication, the severity rating aligns with critical data-exfiltration bugs that typically earn scores between 7.5 and 8.8.
The fix arrives in Chrome version 150.0.7871.47 for desktop platforms. The patch strengthens the SVG rendering pipeline, ensuring that cross-origin resource checks cannot be bypassed through malformed element nesting or timing attacks. The stable channel update also bundles a handful of lower‑severity fixes that will be detailed in the full release notes.
Who should take action and why
Home users. If you use Chrome for anything beyond casual browsing, this bug is serious. Any website you visit can become a launchpad for stealing credentials or exfiltrating data from other open tabs. Since modern users routinely juggle dozens of tabs—Gmail, Twitter, banking, webmail—the exposed surface is enormous. Even password managers that autofill credentials are at risk if attackers can read from a companion extension’s origin.
Enterprise administrators. Managed environments need to push this update before employees return to work on Monday, July 2. The attack requires only that a victim open a compromised page; no phishing email link click is necessary. A watering‑hole attack on a popular site or an advertisement network could silently infect thousands of browsers in minutes. Group Policy templates and administrative templates for Chrome 150 are already available, and forced relaunch settings should be enabled.
Chromium-edge browser maintainers. Edge, Brave, Opera, Vivaldi, and other Chromium‑derived browsers share the SVG engine. While Microsoft has not yet issued a dedicated advisory, history suggests an Edge Stable update will follow within 48 hours. Admins who manage multiple browsers should watch for version bumps and apply them with the same urgency.
Developers and site owners. If your site accepts SVG uploads or renders user‑supplied SVGs (for example, avatar images or diagram editors), audit your sanitization pipeline immediately. Even if a browser patch lands, older or unpatched clients may still be vulnerable. Consider temporarily blocking SVG uploads or serving them from an isolated domain until you confirm clients have updated.
The root cause: SVG’s dangerous flexibility
SVG is not a simple image format. It is a full document format that supports scripting, external fonts, CSS, and even interactive animations. This power has made it a favorite for infographics and vector icons but also a perennial source of browser bugs. In 2021, CVE‑2021‑21147 illustrated how SVG filters could bypass site isolation. In 2023, a flurry of SVG‑related Chrome bugs were patched around the time WebGPU shipped, because the new graphics stack inadvertently widened the attack surface. CVE‑2026‑13793 is the latest reminder that every feature in an SVG document—from its use element’s clone‑node behavior to the way it fetches pattern images—must be treated with the same security rigor as an <iframe>.
Chromium’s SVG policy enforcement is supposed to inspect every cross‑origin request and block any that would leak data. Researchers suspect the 2026 bug lies in how the browser optimized the loading of SVG resources included via the <use href="…"> or <feImage> elements, allowing a timing attack to extract pixel data or unredacted text from a different origin. Google’s security team has not yet released the full technical post‑mortem, which is customary during the first week after a patch to give end users time to update.
The vulnerability was reported by an external security researcher through Google’s Vulnerability Reward Program (VRP), though the researcher’s name has not been disclosed. The bug was assigned the ID CVE‑2026‑13793 and marked as “High” severity on June 29, 2026, before the fix was shipped the following day.
How to secure your browser now
For the vast majority of users, the solution is straightforward: restart your browser. Chrome updates automatically in the background, but to apply the patch immediately, follow these steps:
- Click the three‑dot menu in the top‑right corner.
- Navigate to Help → About Google Chrome.
- The browser will check for updates and start downloading version 150.0.7871.47 (or later).
- When the download finishes, click Relaunch.
If you manage devices through a mobile device management (MDM) platform, use the auto_update_enabled and rollback_to_target_version policies to force the update. The following table lists the earliest safe version per channel:
| Channel | Safe Version (or later) |
|---|---|
| Stable (Desktop) | 150.0.7871.47 |
| Extended Stable | 150.0.7871.47 |
| Beta | 151.0.7912.2 |
| Dev | 152.0.7934.0 |
Edge users. As of press time, Microsoft has not released a fix. To monitor the status, open edge://settings/help and check for updates manually. We expect the patched Edge version to be 150.0.7871.47 as well, but the build number suffix may differ. Enterprise admins should subscribe to the Microsoft Security Advisory page for formal notification.
Can I disable SVG temporarily? Not easily. No about:flags toggle deactivates SVG processing wholesale, and blocking the SVG file extension at the network layer would break millions of websites. The only reliable mitigation is the browser update.
Do I need to change passwords? If you believe you may have visited a suspicious website prior to updating, rotating credentials—especially for email, financial, and social media accounts—is a prudent precaution. However, Google has not disclosed any active exploitation of CVE‑2026‑13793 in the wild.
What’s next for Chromium‑based browsers
Because the patch landed first in the upstream Chromium project, every browser that builds on Chromium must merge the commit and release its own update. Microsoft Edge typically follows within two business days; Brave and Vivaldi often ship within a few hours thanks to their rapid release cycles. Opera, which maintains a customized build, may take up to a week. The Electron framework, used by hundreds of desktop apps, is also affected, though individual app vendors will need to update their Electron versions.
Google will likely publish a more detailed analysis on the Chrome Releases blog and the Chromium bug tracker over the next week, once the majority of users have patched. Security researchers often publish proof‑of‑concept code at the same time, which could lead to opportunistic scanning if users delay updates.
One silver lining: Chrome’s automatic update mechanism has matured over the years, and most consumer systems will receive the patch within 24 hours without user intervention. Enterprise administrators who have set Chrome policies to control update cadence should review those settings to ensure they don’t delay security patches beyond the next scheduled maintenance window.
In the longer term, expect this incident to renew discussions about restricting SVG’s most powerful features within the browser, similar to ongoing debates about sandboxing PDFs or JavaScript. For now, the immediate lesson is the same as it’s always been: when a high‑severity Chrome bug is disclosed, update first and ask questions later.