Google shipped a critical update for Chrome 150 on Windows on June 30, 2026, patching a vulnerability that could let attackers steal sensitive information from a computer’s memory using nothing more than a rigged webpage. The flaw, tracked as CVE-2026-13958, affects all Chrome versions before 150.0.7871.47 and can leak passwords, cookies, or other private data. Early analyses, however, reveal that the National Vulnerability Database (NVD) entry for this CVE contains a version mismatch that could confuse automated vulnerability scanners, causing them to misidentify whether a system is patched or still at risk.

The patch: what got fixed

Chrome 150.0.7871.47 resolves a memory corruption bug in the browser’s rendering engine. According to Google’s advisory, a crafted HTML page could trigger a read-out-of-bounds condition, allowing a remote attacker to access sensitive information held in the process memory of the browser. This type of bug falls under CWE-125 (Out-of-bounds Read), a class of flaw that has been a persistent source of browser exploits in recent years.

The technical details are deliberately sparse. Google is withholding complete exploit information until the majority of users have applied the update—a standard practice to prevent threat actors from reverse-engineering the fix. What we do know is that the vulnerability affects Chrome’s stable channel on Windows exclusively, and that exploitation does not require user interaction beyond visiting a malicious website. No active attacks were reported at the time of patch release, but the nature of memory-leak bugs means even a silent exploitation leaves no obvious traces.

The update arrived through Chrome’s automatic update mechanism. Most users should already be running the fixed version, but the rollout can take days, and enterprise-managed deployments may lag behind. The build number for Windows is 150.0.7871.47; users can verify this by navigating to chrome://settings/help inside the browser.

Why your vulnerability scanner might miss this fix

While the patch itself is straightforward, complications have emerged in how the CVE is catalogued. The NVD, which feeds data to nearly all vulnerability management platforms, appears to use an incorrect Common Platform Enumeration (CPE) string that maps the flaw to an older Chrome version range. Several initial reports—corroborated by posts on security mailing lists—note that the NVD entry currently associates CVE-2026-13958 with Chrome versions “prior to 150.0.7871.47,” but the underlying CPE pattern checks for “:::::::” without accurately bounding the version. In practice, this means some scanners may:

  • Flag systems running 150.0.7871.47 as still vulnerable because the CPE doesn’t reflect the fixed version.
  • Conversely, mark older versions as patched if the regex incorrectly matches.

This mismatch risks leaving organizations with a false sense of security or causing unwarranted alarm. The issue is not new: NVD CPE mismatches have tripped up IT teams before, most recently with CVE-2025-1482 earlier this year. Until the NVD corrects its entry, manual verification becomes essential.

What this means for you

For home users

If you use Chrome on a Windows PC, your primary action is simple: check that you’re running version 150.0.7871.47 or later. Chrome updates itself automatically, but you can force an update by going to chrome://settings/help and restarting the browser when prompted. Since the vulnerability can be triggered by merely visiting a malicious website, staying current is the only reliable defense.

There are no known exploits circulating yet, but memory-leak bugs are valuable to attackers because they can harvest session tokens, login credentials, or even encryption keys from browser memory. Once a patch is public, the race to weaponize the flaw begins. Don’t wait.

For IT administrators

If you manage a fleet of Windows endpoints with Chrome deployed via group policy or SCCM, the situation demands a two-step verification:

  1. Deploy the update immediately. The MSI installer for Chrome 150.0.7871.47 is available through Google’s enterprise download page. Ensure all managed browsers are updated within your next patch window—ideally within 48 hours.
  2. Don’t trust your scanner’s word alone. Given the NVD CPE confusion, run a manual spot check on a sample of endpoints. Use PowerShell commands like Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*' | Where-Object { $_.DisplayName -like '*Chrome*' } | Select-Object DisplayName, DisplayVersion to confirm the installed version. Cross-reference with your vulnerability management dashboard; if you see discrepancies, open a support ticket with your scanner vendor to clarify the CPE logic.

For organizations that rely on real-time threat detection, consider adding a Yara rule or SIEM alert that triggers on any Chrome process accessing unusual memory regions—though this is a temporary measure until patching is confirmed.

For developers

The bug is a stark reminder that C++ memory safety continues to bite, even in highly hardened codebases like Chromium’s. CVE-2026-13958 was likely caused by an unchecked array index in the graphics compositor, though Google hasn’t disclosed the exact component. If you maintain applications that embed Chromium (e.g., Electron apps), you’ll need to update to a Chromium version that includes the backported fix. Watch for patches from the Electron project, CEF, and other downstream distributors.

How we got here

Chrome’s move to a rapid release cycle over a decade ago has made security updates a weekly affair for many IT teams. Version 150 itself landed on June 24, 2026, with 39 security fixes, including two high-severity bugs. CVE-2026-13958 was added in a supplementary stable-channel rush patch just six days later, suggesting it was either reported through Google’s vulnerability reward program (VRP) and deemed too dangerous to hold, or discovered internally during code audits.

This timeline traces the sequence:

  • June 24, 2026: Chrome 150.0.7871.0 rolls out to stable with initial security fixes.
  • June 26, 2026: A researcher (identity undisclosed as per Google’s policy) reports the memory leak through the Chrome VRP.
  • June 28, 2026: Google’s security team confirms the flaw, rates it as “High” severity (indicating potential for credential theft but no remote code execution).
  • June 30, 2026: Patch 150.0.7871.47 is published, and automatic update channels are triggered.

This compressed turnaround—from report to fix in four days—is unusually fast and underscores the severity. Typically, Chrome patches are batched into bi-weekly cycles; a same-week out-of-band update signals that even though the flaw wasn’t being actively exploited, the attack surface was broad enough to warrant emergency action.

What to do now

Immediate action for all users

  1. Open Chrome.
  2. Click the three-dot menu → Help → About Google Chrome.
  3. If the version shown is 150.0.7871.47 or higher, you’re protected.
  4. If it’s lower, allow the update to download and click Relaunch.

If you’re using a Chromium-based browser like Edge or Brave, their patches typically follow within days. Check their respective release notes for a fix referencing this CVE.

For vulnerability management teams

  • Override scanner findings: Until the NVD CPE hiccup is resolved, create an override rule in your vulnerability management platform to mark systems running 150.0.7871.47 as compliant for CVE-2026-13958. Record the override with a note referencing the CPE issue.
  • Monitor the NVD entry: Bookmark the NVD page for this CVE. The CPE information may be corrected silently; keep an eye on the “Last Modified” date. A community-supplied CPE can also override the official one on platforms like Qualys or Tenable; consult your vendor’s documentation.
  • Check extensions and apps: Some Chrome extensions run in their own memory space; while the core flaw targets the renderer, you should still review any extensions that request access to all site data, as they could be a vector for secondary attacks even after patching.

Outlook

Google has not indicated whether a similar patch is needed for macOS or Linux builds; so far, the advisory mentions Windows only. That could mean the vulnerability arises from a Windows-specific code path, perhaps in the backend graphics layer. The NVD CPE confusion is a separate, administrative snarl that will likely be sorted out within the week—but it highlights a recurring pain point in vulnerability management: the gap between vendor advisories and the centralized databases that scanners rely on.

Looking ahead, Chrome 151 is already in beta and includes further memory safety improvements. For Windows users, the lesson is clear: enable automatic updates and don’t blindly trust a green checkmark from your vulnerability scanner. When a bug can silently exfiltrate your browser’s secrets, a single missed patch can be catastrophic.