Google released an emergency update for Chrome on iOS this week, pushing users to version 150.0.7871.47 to fix a use-after-free vulnerability tracked as CVE-2026-14067. The patch lands amid a rare public disagreement over severity: Chrome’s own researchers rated the bug as low risk, but the U.S. Cybersecurity and Infrastructure Security Agency (CISA) assigned it a CVSS 3.1 score of 8.8, squarely in the high-severity range.

Use-after-free flaws are memory corruption bugs that can let attackers execute arbitrary code or crash an application. In browser contexts, they’re often paired with other exploits to break out of sandboxes. While the technical details aren’t yet public — Google typically withholds specifics until most users have updated — the split in severity ratings suggests the attack surface or exploitability might be more nuanced than a cursory look would reveal.

The update is rolling out now through Apple’s App Store. Users who have automatic updates enabled should receive it within the next 24 hours, but everyone else should check their version and update manually. For a vulnerability that can be triggered by simply visiting a malicious website, waiting even a few days can be risky.

What Changed in Chrome 150.0.7871.47

The focal point is a single vulnerability: CVE-2026-14067, described as a use-after-free in the WebTransport component — a protocol that enables low-latency communication between browsers and servers. Google’s advisory lists it as a Low severity issue, but CISA’s entry in the Known Exploited Vulnerabilities catalog gives it an 8.8 CVSS 3.1 score, with a vector string indicating network-based attacks, low attack complexity, and no user interaction required aside from visiting a page.

Chrome’s security team often assigns a lower initial severity when exploitation requires a specific configuration or a chained exploit that doesn’t exist yet. CISA, on the other hand, considers the potential national impact and the availability of mitigations. The agency recently expanded its scope to include mobile browser flaws after a string of high-profile drive-by attacks against iOS users.

The update also includes three other fixes, though none are publicly assigned CVEs. For a complete technical breakdown, the Chromium bug tracker entry is locked to public view until at least a week after the patch, per standard policy. Third-party security researchers have noted that the vulnerability may be exploitable through a specially crafted WebTransport stream, potentially allowing remote code execution within Chrome’s renderer process.

What It Means for You

If you use Chrome on an iPhone or iPad, this update is important — but not just because of the scary CISA score. The disagreement between Google and CISA reflects a real tension in how we judge risk.

For everyday users:
- Updating removes the risk entirely. The fix is already available. There are no known active exploits targeting this flaw, but that could change quickly once technical details leak or a proof of concept emerges.
- You don’t need to stop using Chrome. But until you update, be extra cautious about clicking links from unknown sources, especially those that could open WebTransport connections (uncommon in typical browsing).
- iOS’s system-wide sandboxing adds a layer of defense. Even if an attacker exploits this bug in Chrome’s renderer, they’d still need a second vulnerability to escape into the operating system. That’s a high bar, which might explain Google’s low severity rating.

For IT and enterprise admins:
- If you manage a fleet of corporate iPhones with Chrome installed, push the update through your MDM solution or communicate the urgency to users. While the threat is remote, the CISA rating could put you out of compliance with federal cybersecurity directives if you delay.
- Consider whether Chrome is necessary on managed devices. For many enterprise environments, Safari (which uses WebKit and is unaffected by this Chrome-specific code) might be a safer default browser option. But if you rely on Chrome’s sync features or specific extensions, updating is the correct path.

For developers and power users:
- Test any internal WebTransport applications against the latest build. The patch might alter behavior in edge cases.
- If you’re running a pre-release version of Chrome (Beta or Canary), check for a corresponding update. Use-after-free fixes often touch significant code paths, so your testing is valuable before the stable rollout.

How We Got Here

Chrome for iOS has a unique architecture compared to its desktop and Android counterparts. Due to Apple’s App Store policies, it must use the system WebKit engine for rendering web content, meaning the Chromium blink engine isn’t present. However, Chrome still wraps its own UI, networking stack, and features like sync and WebTransport around that engine. That custom code is where vulnerabilities like CVE-2026-14067 live.

This isn’t the first time severity ratings have clashed. In 2024, a similar use-after-free in Chrome’s V8 JavaScript engine was rated High by Chromium but went without a CISA advisory for months, until evidence of exploitation surfaced. CISA has become more proactive since then, often issuing advisories ahead of in-the-wild activity based on vulnerability scoring models that assume worst-case scenarios.

CISA’s CVSS 8.8 is based on the following breakdown (not yet published, but inferred from CISA’s typical methodology):
- Attack vector: Network (AV:N) — no local access needed.
- Attack complexity: Low (AC:L) — no special conditions beyond visiting a website.
- Privileges required: None (PR:N) — works even if you’re not logged into anything.
- User interaction: None (UI:N) — no clicking, opening a file, or additional steps.
- Scope: Changed (S:C) — can impact resources beyond the security scope of the vulnerable component.
- Confidentiality impact: High (C:H) — allows reading of sensitive data.
- Integrity impact: High (I:H) — allows modification of data.
- Availability impact: High (A:H) — can crash or make the browser unusable.

That’s a severe impact combination. Google’s lower rating likely assumes a more limited scope or that additional preconditions apply — maybe the renderer sandbox is effective enough to keep impact down to a crash.

The timeline is tight: the bug was reported to Google on March 12, 2026, internally triaged within 48 hours, and the fix landed in mainline on March 17. Within three days, the fix was backported to the iOS stable channel build that became 150.0.7871.47. Google’s usual schedule from fix to stable release can take up to two weeks, so the accelerated timeline suggests some urgency, even if the public rating doesn’t.

What to Do Now

Take these steps immediately:

  1. Update Chrome on iOS
    - Open the App Store.
    - Tap your profile icon at the top right.
    - Scroll to find Chrome. If an update is pending, tap “Update.”
    - After the update, open Chrome and go to Settings > About Chrome to verify you’re on version 150.0.7871.47 or later.

  2. Enable Automatic Updates (if you haven’t already)
    - Go to Settings > App Store on your device.
    - Toggle “App Updates” to on. This ensures you get future patches without relying on manual checks.

  3. For Enterprises: Verify MDM Policies
    - If you restrict app updates via MDM, this is a candidate for an immediate exception. Push the latest Chrome version to all supervised devices.
    - Review your security information and event management (SIEM) rules to detect any unusual WebTransport traffic from Chrome on iOS until all devices are patched.

  4. Consider Temporary Alternatives (Optional)
    - If you can’t immediately update, consider switching to Safari or Firefox for iOS for a day or two. Both use WebKit for rendering but don’t include Chrome’s compositor or networking layer where this bug exists.

  5. Watch for Updates from Google and CISA
    - Google’s Chrome Releases blog and CISA’s Known Exploited Vulnerabilities catalog are the best sources. If exploitation is detected in the wild, you’ll see a sudden update.

Outlook

As of now, there are no confirmed reports of active exploitation of CVE-2026-14067. That could change. Use-after-free bugs in network-facing components have a history of being weaponized — sometimes weeks or months after patches are released. Google’s “Low” severity rating suggests confidence that iOS sandboxing prevents complete system compromise, but the CISA score reminds us that for a targeted individual or enterprise, even a renderer compromise can expose sensitive session data.

Watch for Chrome’s usual quarterly security roundups for more detail once the bug tracker entry is opened. In the meantime, CISA’s move to flag a mobile browser flaw as high severity might signal a broader shift in how the federal government prioritizes mobile threats — something every IT department should pay attention to.