Google released a critical patch Tuesday for a vulnerability in Chrome’s Skia graphics engine that could let attackers trick users with spoofed interface elements, such as fake address bars or permissions pop-ups. The flaw, tracked as CVE-2026-14410, affects all Chrome versions prior to 150.0.7871.46 and is already seeing active exploitation, according to the company’s advisory.

The fix is in version 150.0.7871.46

The update, which began rolling out on April 15, addresses a flaw in how Skia—the open-source 2D graphics library that handles almost everything you see on a webpage—processes certain image and text primitives. By crafting a malicious webpage or hijacking a legitimate one, an attacker can cause the browser to render a UI widget, such as a dialog box or toolbar, in a way that disguises its origin. A user might see what appears to be a legitimate Chrome password prompt, when in reality the input is being captured by a third-party script.

Google’s advisory is terse, as is usual for Chrome vulnerability disclosures, but it makes one thing clear: versions prior to 150.0.7871.46 are vulnerable, and the company “is aware of reports that an exploit for CVE-2026-14410 exists in the wild.” The update landed on the Stable channel for Windows, Mac, and Linux simultaneously. Users who have automatic updates enabled should receive the patch within days; everyone else needs to pull it manually.

A deceptive attack surfaces

UI spoofing—also called “visual deception” or “homograph attacks”—has plagued browsers for years. The technique typically exploits rendering bugs to make a malicious page look like it belongs to a different, trusted context. In 2024, a similar bug in Chrome’s PDF viewer allowed a fake “Sign in with Google” pop-up to steal credentials. The current Skia flaw is distinct: it lives in the core rendering pipeline, which means it can be triggered from any site and can mimic not just pop-ups but also parts of the browser chrome—such as the address bar or extension icons.

Security researchers have long warned that as browsers become more powerful, the attack surface of the rendering engine grows. Skia is used by Chrome, Chromium-based browsers (Edge, Brave, Opera, Vivaldi), and even Android’s UI toolkit. So while only Chrome has confirmed a patch, the bug’s breadth means other browsers could be affected until they integrate the upstream fix. Opera and Brave have already issued patches; Microsoft says an Edge update based on the same Chromium version is coming “within the next 48 hours.”

For everyday users, the practical risk is high. A successful spoof could persuade someone to type their bank password into a fake overlay, grant microphone access to a spy site, or approve a payment via a WebAuthn prompt that actually authorizes a fraud. Because the attack hijacks trusted UI surfaces, even security-savvy users may fall for it—there’s no telltale URL mismatch or certificate warning when the address bar itself is being painted by the attacker.

Businesses face a different headache. Administrators who manage fleets of Windows machines must ensure that Chrome is updated across all endpoints, or—if they have deployed a Chromium-based browser—that the equivalent version from their vendor is installed. For organizations that rely on legacy web apps that break on newer Chrome releases, this is the kind of update that might force a difficult trade-off between security and functionality.

How we arrived at this moment

Skia has been integral to Chrome since the browser’s first release in 2008. Over time, it has grown from a simple 2D rasterizer into a sophisticated, GPU-accelerated graphics engine that paints nearly every pixel of the browser window. That ubiquity is precisely what makes bugs in Skia so dangerous: they can reach into all parts of the user interface.

CVE-2026-14410 is the third Skia-related vulnerability fixed this year. In January, Google patched CVE-2026-1512, an out-of-bounds write that could lead to remote code execution. In March, a type confusion bug in Skia’s font rendering (CVE-2026-3749) allowed information disclosure. Both were rated High severity; the new CVE-2026-14410 is also rated High, but the addition of in-the-wild exploitation elevates its urgency.

The bug’s discovery is credited to an anonymous researcher, though Google’s Threat Analysis Group (TAG) contributed to analyzing the exploit. That pattern—an external report quickly escalated due to active exploitation—suggests the attack was spotted in targeted campaigns rather than mass malware distribution. Still, once a patch is released, the details often become public enough for other criminals to reverse-engineer and weaponize. The window from patch to widespread exploitation can be measured in hours.

What you must do right now

For individuals:

  1. Check your Chrome version. Click the three-dot menu > Help > About Google Chrome. The version number appears at the top. If it’s anything less than 150.0.7871.46, the browser will begin downloading the update automatically while you’re on that page. Let it finish, then click “Relaunch.”
  2. If automatic update is stuck, download the installer directly from google.com/chrome. Overwriting the existing installation preserves your bookmarks and saved passwords.
  3. Verify the update took. After relaunching, go back to Help > About Chrome and confirm the version string. It should read “Version 150.0.7871.46 (Official Build) (64-bit)” or similar.
  4. Restart any open tabs. The update takes effect only after a full relaunch. Make sure you save any work in browser-based editors before restarting.

For IT administrators:

  • Deploy via WSUS or SCCM if you manage Chrome with enterprise policies. Google’s Chrome Enterprise release page has the MSI files for all supported architectures.
  • For Chromium-based browsers, check your vendor’s release notes. Edge users can force an update by going to edge://settings/help. The patched Edge version corresponding to Chromium 150 is expected as Edge 150.0.944.31, though check the latest at the Edge release info site.
  • Group Policy users can push the update silently. The “Update policy override” and “Chrome Cleanup” extensions aren’t needed for this—just the new MSI.
  • Scan for exploitation. Look for unusual browser pop-ups, unexpected permission prompts, or users reporting that a “Chrome login” window appeared on a non-Google site. While the exploit can be ephemeral, any lateral movement or credential theft would show in authentication logs.

For developers:
- If you maintain web apps that rely on canvas, WebGL, or precise layout rendering, test your applications on the updated Chrome version immediately. Skia fixes occasionally change antialiasing or font metrics in unbustworthy ways, though minor.
- Review any use of the OffscreenCanvas API, which offloads rendering to Skia. Exploitation of this bug could be weaponized via a worker thread to spoof UI without affecting the main page’s performance, making it harder to detect.

A future of tighter rendering security

Google has not disclosed the exact mechanism by which the Skia flaw allows UI spoofing, and it likely won’t until most users have patched. However, the company has signaled that it will invest more in fuzzing Skia’s drawing routines and in automating “visual integrity” checks that compare the rendered output of a page against what the browser’s trusted UI should look like.

Chrome’s release cycle means this isn’t the last you’ll hear of a critical patch. The browser’s next Stable release is scheduled for April 28, with several other security fixes already queued up. For now, the single most important action is to ensure every instance of Chrome you use—at home, at work, inside virtual desktops—is running version 150.0.7871.46 or higher.

Because this bug strikes at the very pixels you trust, even a brief delay in updating could be costly.