Google pushed out a security update for Chrome on iPhone and iPad this week—version 150.0.7871.47—sealing a medium-severity hole that a remote attacker could use to hijack the browser on your device. If you’re still running an older build, a single visit to a malicious website could be enough to compromise your browsing session or worse.
The Flaw: What Exactly Got Fixed
Buried in the release notes for the latest Chrome Stable channel build on iOS is a fix for CVE-2026-13991, an input validation bug that the National Vulnerability Database describes as allowing a remote attacker to “use a crafted HTML page” to trigger an unspecified but potentially dangerous outcome. Google’s own advisory is characteristically sparse, offering only a severity rating of Medium, a reference to the CVE number, and no further technical meat. That’s standard practice until a majority of users have applied the patch.
Input validation bugs are exactly what they sound like: the software incorrectly processes certain data—in this case, within the browser’s handling of web content. A hostile page or script could feed Chrome data that slips past its filters, leading to anything from a crash to, in more serious cases, arbitrary code execution. Medium severity suggests that exploiting this flaw probably requires some user interaction, such as clicking a link, and that the impact is partially mitigated by Chrome’s sandbox or other defenses. But the label doesn’t mean the vulnerability is harmless; it’s a crack in the armor, and in browsers, those cracks can be widened or chained with other bugs.
The update to 150.0.7871.47 for the iOS Stable channel includes only this fix, according to the Chrome Releases blog. There are no other security patches or feature tweaks in this specific release—a sign that Google deemed the bug important enough to ship a standalone point release. That alone should grab your attention.
What It Means for You
For everyday users: If you use Chrome on an iPhone or iPad, you’re vulnerable until you update. The risk isn’t theoretical. While we haven’t yet seen reports of active attacks, cybercriminals are quick to reverse-engineer patches and build exploits that target unpatched devices. A “medium” rating might tempt you to shrug it off, but consider this: a drive-by download from an otherwise legitimate-looking page could execute code inside the browser context, steal cookies, capture keystrokes, or redirect you to phishing sites. Updating is a two-minute task that eliminates that vector.
For IT and MDM administrators: If your organization manages a fleet of iPhones or iPads where Chrome is installed—whether by policy or user choice—this update needs to land in your patch management pipeline immediately. Medium-severity browser bugs have a way of growing teeth once the details leak. Check your Mobile Device Management console to confirm the latest version is whitelisted and push the update without delay. For corporate-owned devices, consider enforcing automatic app updates through your MDM to avoid this kind of scramble next time.
For developers: Web developers testing sites against Chrome for iOS should ensure their test devices are running 150.0.7871.47 or later. A quirk in rendering or script execution caused by the underlying bug might skew your testing results, especially if you’re working with advanced HTML5 features or complex JavaScript. This isn’t a WebKit vulnerability—Chrome on iOS uses Apple’s WebKit engine, as mandated by App Store rules, but the bug likely resides in Chrome’s own application layer, the container that wraps the engine. So your site might behave one way on the old version and another on the patched one. Also, if you maintain any hybrid apps that embed Chrome via SFSafariViewController or WKWebView with custom Chrome integration, double-check your configurations.
How We Got Here: The Patch Cycle
This CVE is part of Google’s continuous stream of security fixes that flow into Chrome across all platforms. The company typically rewards researchers through its Vulnerability Reward Program when they privately report bugs, then works on a fix before disclosing any details. For iOS, the process includes Apple’s App Store review, which sometimes introduces a small delay between the fix being ready and it landing on users’ devices—but Google times its Stable channel announcements to match availability in the App Store.
Chrome 150 was already in the release pipeline on other platforms when this flaw came to light. Rather than wait for the next regular update, Google bundled the fix into a minor bump specifically for iOS. That underscores both the urgency and the platform-specific nature of the problem: whatever’s broken, it’s not present in the Android, Windows, or Mac builds of Chrome, or it was already fixed there on a different schedule. The iOS app’s architecture—where all rendering must go through WebKit—means that some of Chrome’s own code sits in an unusual position, and that’s likely where the bug lived.
Looking back, this isn’t the first time a Chrome for iOS release has been solely a security update. Similar rapid-response versions have appeared when a bug was judged serious enough to disrupt the normal release cadence. Users who keep their apps up to date seldom notice these minute bumps; they happen silently in the background. That’s why it’s valuable to check occasionally, especially if you’ve turned off automatic updates.
What to Do Now
Update Chrome on your iPhone or iPad:
- Open the App Store.
- Tap your profile icon in the upper right.
- Scroll down to find Chrome in the list of pending updates, or pull to refresh.
- Tap Update next to Chrome. If the button says Open, you’re already on the latest version.
Alternatively, you can search for “Chrome” in the App Store, tap on it, and see the Update button directly on the app page.
Verify the version inside Chrome:
- Open Chrome, tap the three-dot menu (•••) in the bottom bar (or top, depending on your setup).
- Go to Settings > About Chrome.
- You should see version 150.0.7871.47 or higher. If not, return to the App Store and try updating again—sometimes there’s a lag in rollout.
For those who manage multiple devices:
- In Jamf, Intune, Workspace ONE, or your MDM of choice, confirm that the Chrome for iOS app update with this version is approved and deployed to all managed devices. Set a compliance policy that flags any device running an older version.
- Consider enabling auto-updates on supervised devices; you can do this via configuration profiles that allow App Store apps to update without user interaction.
If you can’t update right now:
- Practice strict browsing hygiene: avoid clicking links from unknown sources, be suspicious of email attachments that open web pages, and steer clear of websites that seem hastily assembled or odd. Using a content blocker can reduce the attack surface, but it’s not a replacement for patching.
- Switch temporarily to Safari for sensitive tasks—Safari receives its own WebKit patches and isn’t affected by this Chrome-specific vulnerability.
Outlook: More Details Coming, and a Reminder
Google will likely publish the full technical writeup for CVE-2026-13991 once a comfortable percentage of users have updated, which typically happens within a few weeks. That release will tell us whether the bug could stump for remote code execution, data exfiltration, or something else entirely. Until then, the patch itself is the best protection.
The steady drumbeat of browser vulnerabilities serves as a reminder: on iOS, while the system’s sandbox model is strong, applications like Chrome run with the privileges allotted to them, and a bug in an app can still expose local data or manipulate what you see on screen. Keeping every app updated isn’t just good practice; it’s the last line of defense against targeted attacks.
We’ll be watching for any signs of active exploitation or proof-of-concept code. In the meantime, take the two minutes to update. Your next browsing session will be the safer for it.