Google has patched a spoofing vulnerability in Chrome for Mac that could have let attackers fake the address bar and trick users into handing over passwords or financial details. The fix ships in Chrome 150.0.7871.47, released June 30, 2026, and covers CVE-2026-14077, a low‑severity design flaw in how the browser renders certain HTML elements.

The bug sits in what Google calls the “Select implementation”—the code that draws drop‑down menus on web pages. An attacker who crafted a malicious page could exploit the way those menus overlay content to display a fake omnibox, the combined address bar and search box that users rely on to see which site they are visiting. If successful, the spoof would show a trusted domain while the real page was under the attacker’s control.

Google’s advisory rates the flaw as low severity on its internal scale but attaches a “Medium” risk label, a reflection of the damage UI‑spoofing bugs can do even when they don’t grant deep system access. There is no evidence the bug was exploited in the wild before the patch, but the fix landed quietly inside the regular Stable channel update, so it’s likely in the hands of most users already.

What actually changed

The update looks like a routine point release. When you open About Google Chrome on a Mac, you will see version 150.0.7871.47. The only security entry in Google’s changelog is CVE-2026-14077, credited to an unnamed external researcher who reported the issue through the Chrome Vulnerability Rewards Program. The official description is sparse: “Low CVE-2026-14077: UI spoofing in Select. Reported by [researcher] on 2026‑05‑12.”

Behind that one‑liner is a real change in the rendering pipeline. The browser must now handle cascading style sheets and element stacking in a way that prevents a malicious page from covering the true address bar with a crafted dropdown that displays a different URL. The patch likely enforces a stricter z‑order or isolates the omnibox region from page‑controlled elements—a common fix for this class of vulnerability.

The update is Mac‑only. Chrome on Windows, Linux, and Android does not share the affected code path because the Select implementation varies by platform. Mac users who haven’t yet restarted Chrome since the end of June should do so now. The browser typically applies updates silently in the background and swaps them in on the next launch, but a manual check guarantees you’re covered.

What it means for you

If you use Chrome as your daily driver on a Mac, the practical risk was never sky‑high. Omnibox spoofing requires a crafted website that you would have to visit, and then you’d need to ignore other clues—like a missing padlock icon, an unusual page layout, or a URL that doesn’t match the claimed identity. Still, UI flaws chip away at the trust users place in the browser’s most important security indicator.

For home users. The main concern is phishing. An attacker could register a lookalike domain, design a login page that mirrors your bank or email provider, and use the spoof to display the legitimate domain in the address bar. Even cautious users who habitually check the URL might be fooled. After the patch, that attack path is closed. The update will also be bundled into future Chrome downloads, so new installations are protected.

For IT administrators. Roll out Chrome 150.0.7871.47 to your Mac fleet immediately. Because the vulnerability is rated low, it’s unlikely to trigger an emergency change in most organizations, but any gap in address‑bar integrity undermines phishing‑resistant authentication and user training. If you manage Chrome via enterprise policies, force an update or verify that auto‑updates are configured correctly. The update is also available as an offline installer for air‑gapped networks.

For developers. If you build web applications or browser extensions, the patch may alter how certain CSS‑driven layouts interact with the address bar region. Test any UI that uses complex overlays near the top of the viewport, especially if it involves styled <select> elements. In the long run, the fix aligns Chrome with modern web standards that more clearly separate browser chrome from page content.

How we got here

Chrome’s address bar has been spoofed many times before. In 2019, security researcher James Fisher demonstrated what he called the “inception bar,” a technique on mobile Chrome that used a scroll‑to‑top trick to slide a fake bar over the real one. That bug earned a $5,000 bounty and a swift patch. Since then, almost every major Chrome release has included at least one fix for a UI‑spoofing vulnerability, often in components like the omnibox, navigation, or full‑screen handling.

CVE-2026-14077 falls into a category known as “UI redress” or “tapjacking”—attacks that misuse legitimate interface elements to misrepresent the application’s state. These bugs are hard to stamp out because browsers must walk a fine line between giving web developers expressive power and preserving a trusted region that the operating system itself doesn’t enforce. Apple’s Safari and Mozilla Firefox have faced similar issues, though implementation details differ.

The Mac‑only nature of this CVE points to Chrome’s platform‑specific rendering backends. On Windows, the browser uses its own Aura framework to draw widgets; on macOS, it leans more heavily on Cocoa views for certain UI elements. The Select implementation—the native‑looking dropdown list—is one such Cocoa component, which made it susceptible to an overlay attack that didn’t exist on other platforms.

Chrome 150 arrived in late June 2026 with a handful of performance tweaks and a new CSS feature, but the security fix is the standout change for Mac users. Google’s policy is to disclose vulnerabilities only after a majority of users have the patch, so the public learn about CVE-2026-14077 a few days after the actual release.

What to do now

Updating Chrome on a Mac takes less than a minute. Here’s the quickest route:

  1. Open Chrome.
  2. Click the three‑dot menuHelpAbout Google Chrome.
  3. Chrome will look for updates and download version 150.0.7871.47 if you don’t already have it.
  4. Click Relaunch to apply the update.

If you prefer to wait for the browser to update itself, make sure Slack or other apps aren’t blocking the auto‑update. Chrome typically checks every few hours and applies updates when you next quit and reopen the browser.

For enterprise admins, the build is available in the 150.0.7871.47 package on Google’s download page. Government and healthcare organizations with strict compliance should note the CVE ID in their patch management records, even though the severity is low. The update does not require any configuration changes.

After updating, there is no settings toggle to adjust. The fix is baked into the rendering engine. Users need not change their behavior other than to remain alert for any unusual address‑bar displays, as no patch can cover every future variant of spoofing.

Outlook

UI‑spoofing bugs are a persistent category. As browsers add more immersive features—WebGPU, AR/VR, customized scrollbars—the attack surface for tricking the address bar grows. Browser vendors are iterating on architectural changes that isolate the trusted UI “chrome” from page content more thoroughly. For now, the CVE-2026-14077 patch shows Google is closing known gaps quickly.

Mac users can expect another Stable channel update around mid‑July 2026 as part of Chrome’s regular six‑week release cycle. Keep an eye on the “about” page and subscribe to Google’s Chrome Releases blog if you want early notice. In the meantime, the omnibox you see at the top of your browser is once again as trustworthy as it should be.