Google shipped Chrome 150.0.7871.47 for Windows on June 30, 2026, fixing a heap buffer overflow in WebNN that can be triggered by a specially crafted webpage. The company tagged CVE-2026-14087 as low severity, but the nature of the bug makes it a high-stakes security concern that demands immediate patching.
The concrete change: what Google actually delivered
The update to Chrome 150.0.7871.47 for Windows addresses a single security vulnerability: CVE-2026-14087, described as a heap buffer overflow in WebNN—the Web Neural Network API. Google’s release notes state that the flaw can be exploited if an attacker persuades a user to visit a malicious HTML page. The company classified the issue as “Low” severity, but withheld technical specifics, a common practice to give users time to patch before exploit details become public. The fix landed in the stable channel on June 30, 2026, with no other security patches in this release.
Heap buffer overflows in browser engines are especially dangerous because they can let an attacker read or write data beyond allocated memory chunks, often leading to arbitrary code execution. While WebNN primarily handles machine learning model inference, the vulnerability sits in the API’s memory management routines, potentially exposing a path to compromise the renderer process—and, via sandbox escape chains, the underlying operating system.
What it means for you
Home users
If you use Chrome on Windows, update now. The attack vector is simple: a rigged website could silently trigger the overflow, no user interaction beyond visiting the page. Drive-by exploits, malvertising, and phishing links all become vectors. Once an attacker gains code execution in the renderer, they might chain this with another bug to escape Chrome’s sandbox. The low severity label reflects Google’s internal scoring, not the real-world risk if exploit code appears.
IT administrators
Enterprise environments should roll out the update immediately via group policy, SCCM, or your patch management tool. Chrome’s administrative templates allow forced installations and auto-update policies. Check that managed Chrome instances across your fleet are on version 150.0.7871.47 or later. If you enforce a delay on updates for compatibility testing, consider accelerating it—heap bugs are often weaponized within days of disclosure.
Developers and AI practitioners
If your web apps rely on WebNN for AI inference, ensure you’re running the patched browser. Although this bug is unlikely to impact correct API usage, any security flaw in WebNN could undermine user trust in browser-based AI. Test your applications against the new version, and watch for any behaviour changes. Google may tighten WebNN memory handling in future releases, which could affect performance—benchmark against the current baseline.
How we got here: AI’s new attack surface in the browser
WebNN first appeared in Chrome back in 2023, offering JavaScript access to hardware-accelerated neural network inference. It quickly became a cornerstone for browser-based AI, enabling real‑time object detection, speech recognition, and image generation without relying on cloud services. But extending the browser with low-level hardware access inevitably widens the attack surface.
Chrome’s security team has patched several WebNN issues over the years—CVE-2024-7524 (a similar overflow), CVE-2025-10322 (type confusion), and now CVE-2026-14087. The trend suggests that as WebNN usage grows—fueled by on‑device AI features in ChromeOS, Google Meet, and third‑party web apps—more vulnerabilities will surface. The heap overflow in Chrome 150 underscores the challenge of validating complex tensor shapes, memory layouts, and operator chains in a hostile environment.
At the same time, Chrome’s rapid six‑week release cycle and automated update mechanism mean most users get patches quickly. Yet, user complacency is a persistent problem: significant numbers of users remain on outdated versions long after fixes ship. The “Low” severity rating may inadvertently discourage some from updating promptly, creating a window of exposure if exploit code leaks.
What to do now
Update Chrome immediately
- Open Chrome.
- Click the three‑dot menu → Help → About Google Chrome.
- The browser checks for updates and installs version 150.0.7871.47 (or newer) automatically.
- Click Relaunch to complete the update.
Verify the update
Type chrome://settings/help in the address bar. The version should read 150.0.7871.47 or higher. If your organisation manages Chrome, confirm with your IT team that the latest patch has been deployed.
Enable automatic updates
If you previously disabled automatic updates, re‑enable them. In Settings → About Chrome, ensure the update service is running. On Windows, the Google Update service should be set to start automatically.
Mitigation for those who cannot update yet
If an immediate update is impossible, consider disabling WebNN as a short‑term workaround:
- Navigate to chrome://flags/#enable-webnn
- Set the flag to Disabled
- Restart Chrome
This will break web applications that rely on WebNN, so test thoroughly before deploying across an organisation.
Monitoring and defence
- Keep an eye on Google’s Chrome Releases blog for any updates on CVE-2026-14087 or indications of active exploitation.
- Enterprises should monitor network traffic for unusual post‑exploitation patterns, though no IoCs have been shared publicly.
Outlook: a warning shot for browser‑based AI
The WebNN heap overflow in Chrome 150 is unlikely to be the last. As Google pushes on‑device AI deeper into the browser—with features like the Gemini integration and on‑device translator—the tension between innovation and security will only grow. Security researchers will likely target WebNN, WebGPU, and related APIs for future discoveries. Google may need to move beyond vague severity labels and provide clearer guidance when a “low” bug carries exploit potential. For now, the simplest lesson stands: patch Chrome on Windows without delay.