On June 30, Google pushed a stable channel update for Chrome on Windows and macOS that fixes a single vulnerability. The version, 150.0.7871.47, patches CVE-2026-14112—an information disclosure bug lurking in the browser’s enterprise components. Google rated it as low severity. But for organizations that manage Chrome at scale, this update demands attention now.

A single, silent patch with enterprise sting

The June 30 release notes are unusually sparse: “1 security fix.” There are no feature bumps, no new API endorsements. Just a quiet patch for a CVE that Google later documented as an
information disclosure in Chrome’s enterprise functions. That documentation explains that the flaw stems from the browser’s managed-software layer—the code that handles group policies, legacy browser support, and cloud management enrollment. An attacker who lured a user to a specially crafted site could, in theory, pull arbitrary chunks of process memory that cross the boundary from the Chrome process into the web attacker’s hands.

Google’s bulletin describes the bug as an “Enterprise-component information disclosure” that could expose “sensitive process-memory.” While the public proof-of-concept is withheld, the description is clear enough: the vulnerability lets a remote attacker read portions of memory that should be walled off. The immediate fallout is that credentials, authentication cookies, internal hostnames, or configuration tokens that the enterprise-separated browser instance holds might leak.

The fix landed in Chrome 150.0.7871.47 for both Windows and macOS. Linux and ChromeOS users are not affected because the vulnerable component is not present on those platforms.

What it means for you—and why “low” severity doesn’t mean “ignore”

For the everyday user on a personal machine, this CVE is indeed low-stakes. The vulnerability lives in the enterprise plumbing that most people never touch. An attacker would still need an exploit chain—likely a separate sandbox escape—to turn a memory disclosure into a full system compromise. On a standalone laptop, the worst-case scenario is a throwaway cookie theft, and Chrome’s site isolation further reduces the blast radius.

The calculus flips for IT administrators. Any device enrolled via Chrome Browser Cloud Management, running legacy browser extensions, or hardened with on-premises group policies runs the vulnerable code. In a managed environment, the process memory can contain much richer pickings: the service account token that talks to the admin console, the internal domain credentials cached by an SSO flow, the private key material for a client certificate used in a corporate VPN. Even a partial memory dump can give a sophisticated attacker a foothold for lateral movement.

“Low” is a description of how difficult the bug is to trigger reliably across a wide user base—not a statement of its actual damage potential in targeted attacks. Microsoft, for instance, routinely rates similar info leaks as “Important” and ties them to zero-day campaigns. Google’s own severity scale classifies a bug as Low when it requires unlikely user interaction, affects a small set of users, or has minimal direct security impact. But in an enterprise context, the indirect impact can be enormous.

For developers who maintain Chromium-based Electron apps, the patch is equally relevant. If your application bundles Chrome’s enterprise components—common in apps that support managed configurations—you inherit the CVE. Electron 34, which ships with Chromium 150, is currently tracking this patch; expect a backport in an upcoming Electron stable release.

How we got here: the expanding enterprise surface

Chrome’s enterprise story has grown dramatically over the past three years. Browser Cloud Management, originally a lightweight enrollment mechanism, now offers over 500 policies. Legacy Browser Support injects a helper extension to automatically switch between Chrome and a secondary browser. Ephemeral user profiles, managed guest sessions, and the Chrome Policy API expose ever more hooks into how the browser runs inside a managed organization. Each addition widens the attack surface.

Information disclosure bugs are not new to Chromium. CVE-2023-2136 (high severity) leaked URL fragments. CVE-2022-3315 (medium) exposed file contents through a crafted file:// URL. What makes this one different is its residence in the domain-joined machinery that sits between the browser and the company network. A similar cluster of bugs appeared in late 2024 when researchers began systematically stress-testing the enterprise enrollment flow. Google’s security team then moved several data parsers out of process, but evidently missed this code path.

The timeline for CVE-2026-14112 is short: Google internally discovered the flaw on May 10, developed and tested the patch over six weeks, and shipped it as a single-fix release on June 30. The company will not share the bug’s full technical details for another 90 days, giving enterprise customers a head start before attackers have a complete reverse-engineering roadmap.

What to do now

Home users and non-managed installations:
1. Open Chrome, click the three-dot menu > Help > About Google Chrome. The browser will check for updates and install version 150.0.7871.47 automatically. A relaunch is required.
2. If the update doesn’t appear immediately, download the latest installer from google.com/chrome and run it manually.

IT administrators managing Chrome via group policy or Cloud Management:
1. Confirm that your update policies are set to “Always allow updates” and the target version is pinned to 150.0.7871.47 or later.
2. Use your preferred patch management tool (SCCM, Intune, WSUS) to force a sync. Chrome’s update interval can lag by up to 24 hours in ringed deployments, so trigger an immediate check.
3. For browsers locked to a candidate version for internal validation, pull the standalone enterprise MSI from Chrome Browser Enterprise Support and deploy it over the top of existing installations. The MSI update is non-destructive and preserves profiles.
4. After updating, spot-check a few enrolled devices by navigating to about://version and verifying the build number. Also check about://policy to ensure policies are still applied correctly; this CVE could have corrupted the policy fetch path in rare circumstances.

There is no workaround. Disabling enterprise features or the Chrome Management service is not practical—it breaks enrollment and policy enforcement. Patch and move on.

Electron app maintainers:
Monitor the Electron release calendar. Once Electron 34 incorporates this Chromium patch, update your app’s framework and push a maintenance release to your users through your normal distribution channel.

Outlook

Google’s decision to ship a dedicated, one-fix release for a low-severity bug hints that the internal risk assessment was higher than the public rating suggests. It would not be surprising to see this CVE escalated to medium severity once the full report is made public. For enterprise defenders, the message is already plain: when Chrome’s enterprise machinery coughs up a fix, act as if it were critical. The next vulnerability might not come with a 90-day head start, and the silent patch you ignored today could be the root cause analysis headline tomorrow.