On June 30, 2026, the National Vulnerability Database published details of a new Chromium flaw that lets malicious websites quietly read memory contents through the Gamepad API. Tracked as CVE-2026-14051, the bug carries a low‑severity rating, but it should not be ignored—especially by the millions of Windows users who regularly plug in a gamepad. Google has already shipped a fix in Chrome 150.0.7871.47 for Windows and Mac, and anyone who hasn’t yet applied the update needs to take action now.
The patch: what changed in Chrome 150.0.7871.47
The update landed in the stable channel during the final days of June 2026, though the official CVE entry from NVD only appeared on June 30. The changelog is minimal: a single security fix that closes an information-disclosure hole in Chrome’s implementation of the Gamepad API. That API gives web applications low‑level access to physical game controllers—everything from button presses to analog stick position and, in modern versions, even haptic feedback and motion data.
The vulnerability let a specially crafted web page leak uninitialised memory from the renderer process. In practice, an attacker who combines this flaw with another exploit could piece together fragments of sensitive data—nothing as granular as password fields or cookies, but potentially enough to undermine ASLR (Address Space Layout Randomisation) defences or extract identifiers that make a user’s browser fingerprint more precise.
Google classifies the bug as low severity for a reason. It requires an active gamepad to be connected at the time of the attack, and even then the leaked memory is random. There is no evidence of active exploitation, and the barrier to mounting a useful attack remains high. Nonetheless, the company treats every memory disclosure seriously in Chromium, and users should follow suit.
What it means for you
Home users with a gamepad
If you ever plug an Xbox, PlayStation, or third‑party controller into a Windows PC, you are in the potential blast radius. The fix arrives via Chrome’s built‑in updater; once you restart the browser, the hole is closed. There’s no need to change any Windows settings, and the update does not affect your saved passwords, extensions, or open tabs. The practical risk for most people is minuscule, but the price of closing it is zero—a quick restart.
IT administrators and enterprise environments
Managed Chrome deployments—whether through Group Policy, Microsoft Intune, or a third‑party patch tool—should push Chrome 150.0.7871.47 now. The low severity doesn’t grant a pass; compliance frameworks and cyber‑insurance policies still expect all available security patches to be applied promptly. For Windows shops that enforce Chrome’s built‑in auto‑update via the GoogleUpdate policies, the browser will already be up to date. If you block automatic updates, schedule a maintenance window this week.
Web developers
If your application relies on the Gamepad API, this CVE shouldn’t break anything. The fix corrects the memory initialisation logic, not the API’s behaviour. However, it’s a good moment to audit your own use of the API: are you requesting getGamepads() only when a controller is actually detected? Over‑requesting can still cause tiny performance hits and, in theory, make any future Gamepad‑related bugs easier to trigger on your site.
How we got here: a timeline of the disclosure
Chrome’s security treadmill moves fast, often faster than the public CVE pipeline. The exact internal discovery date hasn’t been shared, but the patch landed in the stable channel before NVD published its entry. This is common: Google’s Chromium team often fixes bugs reported through its Vulnerability Reward Program or found by internal fuzzers, then ships the fix a few days before waiting on the CVE assignment. By the time the wider world learned about CVE‑2026‑14051, the update was already sitting on millions of desktops.
The Gamepad API itself has been a quiet target over the years. In early 2025, a separate race condition in the API’s polling logic was fixed (CVE‑2025‑0123), and in late 2024 a similar low‑severity memory disclosure was patched in Firefox’s gamepad interface. Controllers have become a steady, low‑priority attack surface across browsers—not because they’re insecure by design, but because the driver stacks and renderer integrations are complex and rarely scrutinised as heavily as the JavaScript engine or network stack.
What sets CVE‑2026‑14051 apart is its timing. It arrives alongside Chrome 150, a milestone that also brought a slate of performance improvements and a redesigned download manager. The security fix was folded into that release, which meant many users and admins installed it without ever noticing the CVE tag.
What to do now: a step‑by‑step guide
1. Check your version
Type chrome://settings/help into the address bar. The page will tell you the installed version and whether an update is waiting. If the number is lower than 150.0.7871.47, continue to step 2. (Chromium‑based browsers such as Edge, Brave, or Vivaldi inherit the same engine; they will roll out their own patches in the coming days. Check their respective version info pages.)
2. Let Chrome update itself
Chrome downloads updates in the background. If a new version is available, you’ll see a “Relaunch” button. Click it. Chrome restores your tabs and windows automatically. No further action is needed.
3. If the updater fails
Occasionally, corporate firewalls or strict proxy settings block the update server. In that case:
- Download the offline installer for Chrome 150.0.7871.47 from google.com/chrome on another machine, then install it manually.
- Verify the version again with chrome://settings/help.
4. Enterprise admin actions
- Group Policy: Ensure the
Update policy overrideis set to “Always allow updates” and that the target version prefix is at least150.0.7871.47. - SCCM / Intune: Push the latest Chrome MSI immediately. The MSI file for this version is available in the enterprise download portal.
- Verify deployment: Use your inventory tool to scan for workstations still running a version older than 150.0.7871.47.
5. Stay ahead
- Enable automatic updates on every Windows machine that runs Chrome. The browser’s silent updater adds almost no overhead and is the single most effective defence against future Chromium vulnerabilities.
- Watch the Chrome release blog (chromereleases.googleblog.com) for early notice of security fixes. Google usually publishes a sparse entry within 24 hours of a new stable release.
Outlook: what to watch next
Chrome 150 will not be the last version to carry a low‑severity memory bug. The Chromium project’s commitment to shipping a new milestone every four weeks means patches like this are part of the rhythm. For Windows users, the message remains unchanged: auto‑update is your friend, and a simple restart is the cheapest insurance against an ever‑widening threat landscape. The next security bulletin will almost certainly contain a couple of higher‑severity fixes; applying every one of them keeps the stack healthy. Keep gamepad in hand, but keep Chrome up to date first.