Google has released an emergency update for Chrome on iOS, fixing a high-severity universal cross-site scripting (UXSS) vulnerability that could let attackers hijack user accounts across the web. The patch, Chrome version 150.0.7871.47, addresses CVE-2026-13812, a bug that security researchers discovered could be triggered by simply visiting a crafted HTML page.
Universal XSS attacks are particularly dangerous because they don't require the victim to click a link or download a file. A malicious website can inject JavaScript into the context of a completely different site you have open in another tab—or even into pages you visit later—bypassing the web's same-origin policy. That means a rogue page could, for example, read your emails, steal login tokens, or make fraudulent purchases, all without your knowledge.
What exactly was fixed
Google's advisory states that CVE-2026-13812 is a universal cross-site scripting flaw in Chrome for iOS prior to version 150.0.7871.47. The vulnerability was reported by an external security researcher, though the company hasn't disclosed the finder's name or whether the bug was exploited in the wild. The bug rating is “High”—Google's second-highest severity level—indicating it could lead to serious compromise of user data.
Because Apple requires all browsers on iOS to use its WebKit engine, Chrome on iOS is essentially a wrapper around Safari's rendering core. That means the bug likely resided in how Chrome handled certain web content or JavaScript interfaces, rather than in the underlying engine itself. Universal XSS flaws often stem from unsafe handling of data URLs, mishandled redirects, or improper sanitization of script code before injecting it into a page. Without technical details, it's impossible to say exactly how this one worked, but the impact is clear: a vulnerable version of Chrome could be tricked into running attacker scripts on any domain.
What this means for you
The good news is that the fix is simple. The bad news is that many users don't realize they need to manually update iPhone and iPad apps, even after years of automatic update options. If you use Chrome on iOS, here's how the situation differs depending on your role.
For everyday users
If you browse the web with Chrome on an iPhone or iPad, check your version now. Open Chrome, tap the three-dot menu, then Settings > About Chrome. If the version is anything less than 150.0.7871.47, you're vulnerable. Updates are delivered through the App Store: just open the App Store, tap your profile icon, and pull to refresh the list of available updates. Find Chrome and tap Update. If you have automatic updates turned on, you'll still want to verify that the update has actually been applied—sometimes there's a delay.
After updating, it's a good idea to force-close Chrome and relaunch it. This ensures the browser restarts with the patched version, not a backgrounded process still running the old code.
For IT admins and MDM managers
If you manage a fleet of iOS devices with Chrome installed, push the update via your mobile device management (MDM) solution immediately. Because the vulnerability could expose corporate credentials or internal web apps, consider implementing a compliance policy that checks for the minimum Chrome version. If your MDM supports deferrals, reduce the deferral period to zero to force the update. For users who rely on Chrome for work, educate them about the urgency—especially if they handle sensitive data like financial or health information.
For web developers and security researchers
Chrome on iOS accounts for a significant share of mobile browsing. If your web services store authentication tokens in cookies or localStorage—which is almost every modern web app—a UXSS vulnerability in the browser effectively bypasses all server-side protections. Review your client-side security assumptions: while there's no server patch for this, you might consider shortening token expiry times or re-validating sessions more aggressively until you're confident your user base has updated. Incidents like this are also a reminder that relying solely on Content Security Policy (CSP) headers is insufficient if the browser itself can be tricked into executing scripts.
How we got here
Universal XSS vulnerabilities have a long history in browsers. In the early 2010s, similar bugs plagued Internet Explorer and Chrome on desktop, often arising from how plug-ins like Flash or PDF readers interacted with web pages. Modern browsers have largely stamped out those legacy attack surfaces, but the cat-and-mouse game continues as browsers add new APIs and capabilities.
Chrome on iOS has a unique architecture. Unlike its desktop counterpart, which uses Google's Blink engine, Chrome for iPhone and iPad must use WebKit—the same engine that powers Safari—due to Apple's App Store policies. This means Google cannot patch engine-level bugs itself; it must wait for Apple to fix WebKit issues. However, vulnerabilities in Chrome's own layer—its UI, networking stack, or JavaScript integration—remain Google's responsibility. CVE-2026-13812 appears to fall into this latter category.
Google's last few updates for Chrome on iOS have included similar high-severity fixes. In recent months, the company patched a use-after-free bug in the browser's translation feature and a type confusion flaw in the V8 JavaScript engine (on desktop). Mobile browsers are increasingly targeted because they hold a trove of personal data—email, banking, social media—all accessible through a single app.
What to do now
- Update Chrome immediately. Open the App Store, find Chrome, and tap Update. The full version number should read 150.0.7871.47.
- Verify the update. In Chrome, go to Settings > About Chrome and confirm the version. If it isn't updated, try restarting your device or reinstalling the app.
- Enable automatic updates. Go to Settings > App Store on your device and turn on App Updates. While it's not flawless, it reduces the window of exposure for future vulnerabilities.
- Consider using a content blocker. As an added layer, consider installing a reputable content blocker from the App Store. These extensions can sometimes block malicious scripts before they execute, though they are not a substitute for patching.
- Watch for suspicious activity. While there's no evidence this bug has been exploited, it's always wise to check your sensitive accounts—email, banking, social media—for unusual logins or transactions. Change passwords if you're concerned.
- For businesses: push the update now. If you manage devices, don't wait for the standard patch cycle. Push the update and inform employees of the risk.
Outlook
Google's swift fix suggests the company considers CVE-2026-13812 a serious threat, even if details are sparse. The fact that it affects the iOS version of Chrome—a browser often thought to be more locked down than its desktop counterpart—underscores the importance of treating mobile security with the same urgency as desktop.
Looking ahead, Apple's increasing openness to browser engine alternatives under regulatory pressure could introduce more diversity, but also more complexity, to iOS browser security. For now, users should expect regular updates and remain vigilant about applying them. As always, the single best defense against browser-based attacks is to keep your software current.