Google has released a fresh Stable channel update for Chrome on macOS, version 150.0.7871.47, to stomp out a bug that could let malicious websites fool users into uploading unintended files. The vulnerability, designated CVE-2026-13998, is classified as a Medium-severity “incorrect security UI” issue in file input handling. Although specific to Apple’s desktop operating system, the release packs additional security fixes for Windows, Linux, and ChromeOS—making it a must-install for anyone running the browser.

What Actually Changed

CVE-2026-13998 is all about how Chrome displays file selection dialogs on macOS. In certain crafted scenarios, an attacker could design a webpage that misrepresents which file the user is about to upload. Picture this: you visit a site that asks you to upload a profile picture. You click the button, pick an innocent image, and trust that only that image gets sent. But because of a slip in the security UI, a hidden file input might actually be capturing a different, more sensitive file—like a configuration plist or a document in your home folder—without you realizing it.

The exact mechanics are described as “incorrect security UI in file input.” That typically means the browser’s interface wasn’t properly showing the user which file had been selected for upload, or it allowed a website to trick the UI into looking like a different input. Remote attackers could exploit this by hosting a specially crafted HTML page that, when visited, could trigger the flawed file upload behavior and exfiltrate files if the user can be convinced to click a button.

Google’s update to version 150.0.7871.47 patches that hole. According to the company’s standard disclosure, the fix also includes an unspecified number of other security corrections for the browser’s core components on all platforms. Google does not immediately detail every CVE until a majority of users have applied the update, but the release notes for the Stable channel hint at multiple fixes related to UI, networking, and rendering engines.

Chrome users on macOS will see the version number bump to 150.0.7871.47 after restarting the browser. For Windows, the same version string applies, though the specific files and patches differ by platform. The update rolled out over the air on August 15, 2026, and should reach all endpoints within days.

What It Means for You

The impact varies depending on which operating system you’re using and your role.

For everyday macOS users: You’re directly in the crosshairs. If you haven’t updated yet, any malicious site could potentially trick you into uploading files you never intended to share. While the flaw requires user interaction—you have to click something—that’s not a high bar. Phishing campaigns often rely on click-baiting victims. The risk is especially acute if you frequently use web-based file upload tools, like cloud storage web interfaces, photo editors, or job portals that ask for documents.

For Windows and Linux users: This particular CVE does not affect you. However, the same version 150.0.7871.47 packages other security fixes that are relevant. Google patches a swath of vulnerabilities in each release, and some of them are marked Critical. Not updating leaves you vulnerable to other known attacks. For example, prior releases in the Chrome 150 branch corrected use-after-free flaws in the networking stack and integer overflows in WebRTC—issues that could potentially allow remote code execution. Skipping this update means you’re running a browser with known security holes, even if CVE-2026-13998 isn’t one of them.

For IT administrators and enterprise deployment teams: You’ll want to push this update urgently across your managed fleet of Macs, and also for Windows and Linux devices as part of your regular patch cycle. The medium severity might tempt you to postpone, but any flaw that can be triggered by merely visiting a website is a serious concern for environments where users browse the internet or open email attachments. Use your endpoint management tools (Microsoft Intune, Jamf, GPO) to force the update or at least prompt users. Google provides MSI installers and enterprise templates for offline deployment.

For developers: If you maintain web applications that handle file uploads, review your input validation and UI to ensure you aren’t inadvertently relying on browser behavior that could be spoofed. While this CVE is a browser bug, robust server-side checks on uploaded files remain essential.

How We Got Here

Google releases Chrome updates on a rapid pace—usually every few weeks for the Stable channel. Each update bundles patches for vulnerabilities discovered internally by Google’s Project Zero team, reported through the Chrome Vulnerability Rewards Program (VRP), or found by external security researchers. In this case, CVE-2026-13998 was reported by an outside researcher (the name was not disclosed in the preliminary advisory) and earned a bug bounty that Google hasn’t yet quantified.

The file input UI spoofing issue isn’t entirely new. Similar bugs have surfaced in the past across multiple browsers. Back in 2020, a researcher demonstrated how a file upload dialog could be obscured to steal files on Android through Chrome. In 2024, a series of fixes addressed “Origin” header problems that could confuse file upload sources. The persistence of these flaws highlights how tricky it is to secure the file-picker interface consistently across operating systems, each with its own native dialog behavior.

macOS, in particular, sometimes uses native Cocoa file dialogs that Chrome wraps, and discrepancies between the browser’s sandbox and the system’s own UI can lead to confusion. Attackers have learned to exploit these gaps by injecting HTML that abuses the timing or look of the upload prompt.

The discovery also underscores the value of Google’s quick update cycle. Within days of the researcher filing the report, the fix was written, tested, and shipped to the Stable channel. Google typically observes responsible disclosure, publishing an entry on its Chrome Releases blog once enough endpoints have the patch.

What to Do Now

Check your Chrome version. Click the three-dot menu in the top-right corner, go to Help > About Google Chrome. The browser will automatically check for updates and display the current version. If you’re on anything below 150.0.7871.47, it will start downloading the update. You’ll need to relaunch the browser to complete the installation.

Enable auto-update. Chrome usually updates itself in the background, but some users disable this service. Make sure that “Google Update” (or “GoogleSoftwareUpdate” on Mac) is running and not blocked by firewalls or permissions. On macOS, the updater is a LaunchDaemon plist; you can verify its status in Activity Monitor or by checking processes called “Google Updater.”

Enterprise and managed environments:
- Download the latest enterprise MSI (Windows) or PKG (Mac) from Google’s enterprise download page.
- Use group policies to force an update prompt or schedule silent updates. The Chrome management templates include settings for update notifications and automatic restarts.
- For Mac endpoints managed via MDM, you can push the package as a managed software update. Test on a pilot group first to ensure compatibility with internal web apps.

Be cautious with file uploads. Even after updating, practice safe browsing: never click on suspicious links, and double-check the file name and path displayed in the upload dialog before confirming. If a website’s upload button behaves oddly—for instance, if it shows a different file than you selected, or if the dialog flickers—cancel immediately and report it to the IT security team.

Consider additional browser hardening. Extensions like uBlock Origin can block malicious scripts, and disabling unneeded site permissions reduces exposure. For high-risk users, run Chrome in a sandboxed environment or use Google’s Enhanced Safe Browsing mode.

Outlook

Google will eventually release a full write-up of CVE-2026-13998 on its bug tracker and the Chrome Release blog, likely within a week once the update reaches widespread adoption. Expect more patches in the coming weeks as the Chrome 151 development cycle progresses. The battle against UI spoofing is ongoing; as browsers add more features and operating systems evolve, attackers will continue to probe the boundaries between what the user sees and what the web application can actually do. The best defense remains regular, automatic updates and a healthy skepticism about what you click online.