Google has pushed out an emergency update for Chrome on iOS, patching a zero-day vulnerability that could allow attackers to compromise iPhones and iPads. The fix arrives in build 150.0.7871.47, and all Chrome users on iOS should install it without delay. The flaw, tracked as CVE-2026-14136, does not affect Chrome on Windows, macOS, or Android, but the iOS-specific nature and the speed of the release signal a high-severity issue.
What changed in Chrome for iOS
Version 150.0.7871.47 addresses a security bug that, while not fully detailed by Google yet, has been assigned a CVE identifier — a label reserved for publicly disclosed or actively exploited vulnerabilities. The advisory accompanying the release is sparse on technical details, a standard practice to buy users time to patch before attackers reverse-engineer the fix.
Microsoft’s own incident response team flagged the update and explicitly noted that Chrome on Windows is not listed as affected. That confirmation is crucial for organizations with mixed-device environments; only iOS endpoints need immediate attention.
How to check your Chrome version on iOS
- Open Chrome.
- Tap the three-dot menu (bottom-right on iPhones, top-right on iPads).
- Scroll down and tap Settings.
- At the bottom of the Settings list, tap Google Chrome.
- The version number appears next to "Version."
If it’s 150.0.7871.47 or higher, you’re protected. If not, proceed to the update instructions.
How to update Chrome on iOS
- Open the App Store on your iPhone or iPad.
- Tap your profile icon in the top-right corner.
- Scroll to find Google Chrome in the list of pending updates, or pull down to refresh.
- Tap Update next to Chrome.
Alternatively, you can search for Chrome in the App Store; the button will say "Update" if a newer version is available.
What the CVE means for you
For iPhone and iPad users
The lack of public exploit code or detailed technical analysis should not lead to complacency. Every CVE assigned to Chrome for iOS in the past three years has been patched within weeks, often with active exploitation indicators. Because Chrome on iOS relies on Apple’s WebKit rendering engine — unlike Chrome on other platforms, which uses its own Blink engine — vulnerabilities in WebKit can affect all browsers on the device. That makes a flaw like this especially dangerous: an attacker could craft a malicious webpage that compromises your device merely by you visiting it.
Common threat vectors include phishing links sent via email or messaging apps. Once a tab is opened in Chrome, an exploit could hijack the browser to steal credentials, inject malware, or pivot to other apps if the sandbox is also bypassed. While iOS’s security architecture is robust, no system is immune to determined adversaries. The immediate risk is credential theft or silent installation of a surveillance payload.
If you use Chrome as your primary browser on an iPhone or iPad, treat this update as mandatory. If you rely on Safari, you are not directly at risk unless you open a malicious link in a Chrome web view within another app — though that scenario is less common.
For IT administrators
Managed iOS devices with Chrome installed must be prioritized. If you deploy software updates via a Mobile Device Management (MDM) solution, verify that the App Store update is available in your region and push it to all supervised devices. If you rely on users to self-update, send a company-wide alert listing the exact steps above.
Key considerations:
- Check your MDM’s app inventory report to identify all devices still running Chrome versions below 150.0.7871.47.
- If your organization uses app allow-listing or restricts App Store access, temporarily relax those controls to permit the update.
- For unmanaged or BYOD devices, a conditional access policy (e.g., via Microsoft Intune or an equivalent) that blocks access to corporate resources from outdated Chrome versions can enforce compliance.
- Since Chrome on Windows is not affected, no action is needed for desktop fleets. This is an iOS-only exposure.
Note that Google has not yet released an advisory through its standard Chrome Releases blog, but the patch is live on the App Store. IT admins should monitor the Chrome Security page for the full CVE write-up once Google publishes it. In the interim, the Microsoft incident response team’s acknowledgment and the CVE assignment itself are sufficient to justify emergency patching.
How we got here: the evolving threat landscape for Chrome on iOS
Chrome for iOS has historically been less vulnerable than its desktop counterpart, thanks to Apple’s requirement that all browsers use the built-in WebKit engine. That means webcode rendering — the most common attack surface — is handled by the same core library that powers Safari, and Apple patches WebKit flaws system-wide. However, Chrome wraps WebKit with its own networking stack, JavaScript engine (V8), and feature set. Bugs in those proprietary layers can create Chrome-specific vulnerabilities.
Since 2024, Google has accelerated the release cadence for Chrome on iOS security patches, moving from quarterly to almost monthly updates for critical CVEs. In 2025 alone, three Chrome for iOS zero-days were patched under active exploitation. The growing popularity of Chrome on iOS — now the default browser for many G Suite users, and the second most-used browser on the platform after Safari — has attracted more attention from threat actors.
CVE-2026-14136 follows a pattern: a vulnerability is discovered either by Google’s internal researchers or through third-party reports, and a patch is prepared under a shortened timeline. The fact that this CVE falls in 2026 suggests it’s either a brand-new bug or one that was reported late in the year, squeezing the disclosure window. Because the patch was released without a corresponding Chrome for Desktop update, it’s almost certainly tied to an iOS-specific component — perhaps in the way Chrome handles inter-process communication with system services, or in the V8 JavaScript engine’s interaction with Apple’s hardware memory protections.
What to do now
Beyond installing the update immediately, take these steps to reduce risk:
- Enable automatic updates on iOS: Go to Settings > App Store and toggle on "App Updates." This ensures Chrome and other critical apps update silently overnight.
- Audit browser usage: If you use Chrome for work but Safari for personal browsing, consider switching to Safari until the patch is applied. Safari benefits from Apple’s fastest security update channel (Rapid Security Responses).
- Be vigilant against phishing: This vulnerability could be delivered via spear-phishing links. Treat unexpected messages with suspicion, especially those urging you to click a link “to view a document” or “verify your account.”
- Use a password manager and two-factor authentication: In case credentials are stolen, a password manager ensures unique, strong passwords for each site, and 2FA prevents unauthorized logins even with the password.
- Monitor Google’s official channels: Bookmark the Chrome Releases blog (https://chromereleases.googleblog.com) and the Chrome Security page (https://www.google.com/chrome/security/) for the upcoming detailed advisory. It will contain the specific nature of the vulnerability, which can help you assess whether any post-exploitation measures are needed.
- Check for unexpected profiles or devices: After updating, review Chrome’s settings for any unrecognized signed-in accounts or synced devices. On iOS, open Chrome, tap the three-dot menu, and go to Settings > Your Name to see all signed-in profiles. If anything looks amiss, sign out all devices from your Google Account security page.
Outlook
Google will likely publish a full technical analysis of CVE-2026-14136 within the next two weeks, following its standard vulnerability disclosure policy. That report will confirm whether the bug was caused by a logic flaw, a memory safety issue, or a sandbox escape, and whether it was exploited in the wild. In the interim, the App Store patch is the definitive mitigation.
For enterprise IT teams, the real question is whether this vulnerability will prompt a broader review of third-party browser policies on managed iOS devices. As Chrome and other browsers add more non-WebKit features to differentiate themselves, each new capability introduces potential attack surface. Organizations that have standardized on Safari for iOS may see this as reinforcement of that strategy, while Microsoft Edge on iOS — which also relies on WebKit — remains unaffected unless a similar flaw surfaces in its own proprietary layers.
For individual users, the lesson is clear: keep automatic updates on and treat browser zero-day patches with the same urgency as operating system updates. The days of thinking iOS is inherently immune to browser-borne attacks are over.