iPhone and iPad users who run Google Chrome need to update the browser immediately—before they visit another suspicious site or tap another ambiguous link. Google has shipped Chrome for iOS version 150.0.7871.47 to fix a medium-severity vulnerability tracked as CVE-2026-13983 that, according to the company’s advisory, could let a remote attacker use a crafted HTML page to manipulate a victim’s interactions with the browser.
The Vulnerability at a Glance
The flaw, which existed in all earlier versions of Chrome for iOS, involves a weakness in how the browser processes web content combined with user gestures. Google described the attack scenario as requiring a “crafted HTML page” and “carefully induced gest”—an abbreviation almost certainly pointing to gestures. That language suggests an attacker could build a malicious website designed to trick a user into tapping, swiping, or scrolling on hidden interface elements, effectively hijacking the victim’s intended actions.
While Google hasn’t published technical details yet, security researchers familiar with similar bugs say this sounds like a classic gesture-jacking or UI-redressing attack. In such exploits, a webpage overlays invisible or seemingly innocent buttons on top of legitimate browser controls—like a “Close” pop-up or a permission prompt—so that when you think you are dismissing a dialog, you are actually granting the attacker access to your location, clipboard contents, or initiating a download. On iOS, where Chrome must use Apple’s WebKit rendering engine, UI tricks that bypass the browser’s own protective layers can be especially dangerous because they sidestep the usual sandboxing.
CVE-2026-13983 carries a “medium” severity rating, which means it is not trivial to exploit at scale but can be weaponized in targeted phishing campaigns or watering-hole attacks. The medium label, however, should not lull anyone into complacency—attackers often chain medium-severity bugs with other weaknesses to build a full compromise. The iOS version of Chrome is missing the full multi-process architecture of its desktop counterpart, making any flaw that tampers with the user interface a potential steppingstone to more serious consequences.
How We Got Here
Chrome for iOS has long occupied a strange middle ground in the browser world. Because of Apple’s App Store policies, every third-party browser on iPhone and iPad must build on top of the system-provided WebKit framework. That means Chrome for iOS does not use Google’s own Blink engine; it relies on Apple’s rendering and JavaScript execution, with Chrome’s extra features—syncing, password management, voice search—wrapped on top.
This architectural restriction tends to shield iOS users from the type of engine-level vulnerabilities that plague Chrome on desktop and Android. Yet it also introduces a unique risk: bugs in Chrome’s custom UI code, like those tied to gesture recognition, can fly under the radar because they are not part of the standard WebKit bug bounty or Apple’s rapid security response. Historically, iOS Chrome has seen fewer critical CVEs than its siblings, but when a UI-focused flaw appears, it often demands an urgent update precisely because it can circumvent Apple’s normally strong isolation.
Google’s own security blog has not yet detailed the timeline of discovery or credited researchers, though it is standard practice for the company to withhold those specifics until a majority of users have applied the patch. The version number 150.0.7871.47 follows Chrome’s relatively new rapid-release scheme that aligns all platforms under a unified major build number, making it easier for users and IT administrators to confirm they are on a secure release.
What the Flaw Means for Everyday Users
If you are an iPhone or iPad owner who uses Chrome as your primary browser, the practical risk until you update is that a malicious website could trick you into performing an action you never intended. The most likely scenario is a phishing page that overlays a transparent “Allow” button on top of a legitimate-looking prompt. For example, you could visit a site that appears to show a cookie consent dialog, but when you tap “Accept,” you are actually granting the site access to your current GPS coordinates or silently copying your clipboard data.
Because the exploit relies on induced gestures rather than simply loading a page, you would need to interact with the crafted page in a specific way—tapping a certain spot, swiping in a particular direction. That still leaves plenty of room for an attacker to craft convincing social-engineering lures. A fake “video player” that asks you to tap to play could in reality be a hidden download trigger. A pop-up that says “Swipe to unlock content” might instead be a gesture that opens a new tab to a credential-harvesting clone of a banking site.
Users who have enabled Chrome’s built-in Safe Browsing protections gain an extra layer of defense because Google actively flags known malicious URLs, but Safe Browsing cannot catch every newly registered domain or zero-day phishing page. The most cautious stance is to apply the update as soon as possible and then verify the version number manually.
What IT Administrators Should Know
For organizations that manage fleets of iPhones and iPads, CVE-2026-13983 represents a manageable but nontrivial risk. The medium severity means it is unlikely to be used in broad, automated attacks, but targeted spearphishing against executives or employees with access to sensitive data is a realistic concern. An attacker could craft a convincing email with a link to a weaponized page and induce the recipient to tap in just the right spot to trigger the flaw.
Apple’s Mobile Device Management (MDM) frameworks allow administrators to push Chrome updates automatically, as long as the App Store auto-update setting is enabled on supervised devices. If your fleet relies on manual updates, this is the moment to trigger a compliance check. The target version is exactly 150.0.7871.47. Anything lower—whether 150.0.7871.14 or earlier 149.x builds—is vulnerable. MDM solutions that report installed application versions can help quickly identify stragglers.
For those using enterprise authentication services that integrate with Chrome, note that the bug itself does not directly compromise credentials, but a well-executed gesture-jacking attack could reroute a victim to a fake single sign-on page after they believe they have tapped a legitimate login button. Combining this CVE with a phishing domain could yield a high-value exploit chain. Remind users that after updating, they should still scrutinize any unexpected login prompts.
What to Do Now: Update Chrome on iPhone and iPad
The only true fix is to install the updated browser. Here are the steps for individual users and for administrators:
For Personal Devices
- Open the App Store on your iPhone or iPad.
- Tap your profile icon in the upper-right corner.
- Scroll down to see pending updates. If Chrome appears, tap Update next to it. If not, pull down to refresh the list.
- Alternatively, search for “Google Chrome” in the App Store and check if the button says Update instead of Open.
- After the update completes, open Chrome, tap the three-dot menu, go to Settings > Google Chrome, and verify the version at the bottom matches 150.0.7871.47.
If you have automatic updates enabled (Settings > App Store > App Updates), the fix should arrive on its own within 24–48 hours. But given the active attack potential, a manual check is the safer route today.
For Managed Fleets
- Push the update via your MDM platform by requiring the latest version of Chrome for iOS.
- Review your compliance policies to flag any device running a version older than 150.0.7871.47.
- If your MDM does not support forced app updates, send a notification to all users with a link to the App Store page and a short explanation of the risk.
- For devices that cannot be updated immediately—say, due to software compatibility testing—consider temporarily disabling Chrome and directing users to Safari until the patch can be applied.
No configuration changes within Chrome itself can mitigate the vulnerability. Workarounds like disabling JavaScript or blocking all pop-ups may break the web and are not guaranteed to stop a gesture-based attack. Updating is the only reliable defense.
The Bigger Picture for iOS Browser Security
The CVE-2026-13983 patch is a reminder that even on a locked-down platform like iOS, the browser remains a prime target. Apple’s own security architecture makes it difficult for a simple drive-by download to compromise the entire device, but the line between a browser UI trick and a full phishing disaster is paper-thin. When a flaw allows an attacker to control what a user sees and taps, the device’s underlying security features can become irrelevant.
Google has been steadily closing the feature gap between Chrome on iOS and its counterparts, adding more native capabilities like enhanced Safe Browsing and improved password management. Each new feature adds code that can harbor unforeseen bugs. Users who value cross-platform syncing and Chrome’s feature set should accept that occasional security updates are part of the deal.
For those who prefer a belt-and-suspenders approach, using Safari as the default browser and reserving Chrome for specific tasks reduces the attack surface, but it does not eliminate the risk entirely. The real solution is a culture of prompt updating. Google’s increasingly rapid release cycle means that once a flaw is reported, a fix often appears within weeks, but users must actually apply it.
Outlook
Google is expected to release more detailed information about CVE-2026-13983 in the coming days, once the patch has had time to saturate the user base. The company typically credits external researchers at that point, shedding light on whether this was found internally or reported through the Vulnerability Reward Program. No zero-day exploitation has been publicly confirmed as of this writing, but with the patch now available, attackers may reverse-engineer the fix to develop exploits—another reason to update today rather than tomorrow.
In parallel, Apple’s own security teams will likely examine the bug to see if any similar UI-redressing weaknesses lurk in native Safari. Historically, Chrome and Safari bugs on iOS are sometimes distant cousins because both rely on the same OS-level touch handling APIs. If Apple finds a broader issue, expect an iOS point release that tightens gesture recognition across all browsers.
For now, the one action every Chrome for iOS user should take is clear: open the App Store, tap update, and verify you are on version 150.0.7871.47. A few seconds of housekeeping today can stop a carefully crafted tap from turning into a security nightmare.