Google released a security update for Chrome on June 30, 2026, fixing a high-severity vulnerability that could allow attackers to escape the browser’s protective sandbox. The flaw, tracked as CVE-2026-13796, resides in the Chromecast component and involves an integer overflow. Chrome 150.0.7871.47 for Windows and macOS contains the patch. Users should update immediately.
The flaw and the fix
The vulnerability is an integer overflow in the Chromecast feature. While Google hasn’t disclosed technical details, integer overflows typically occur when a calculation produces a value that exceeds the allocated memory space, potentially corrupting memory and allowing malicious code execution. Combined with Chrome’s sandbox architecture, which isolates browser processes from the underlying system, such a flaw could let an attacker break out of the containment and gain system-level privileges.
The Chromecast component handles streaming media to Cast-enabled devices. It is integrated into Chrome, meaning any web content capable of triggering the overflow—perhaps through a malicious webpage or crafted media—could exploit the vulnerability. The sandbox escape aspect elevates the risk: normally, even if an attacker compromises the renderer process, the sandbox should prevent them from touching the operating system. Bypassing it is a serious breach of Chrome’s defense-in-depth.
Google categorized the vulnerability as high severity, its second-highest rating. The update to Chrome 150.0.7871.47 for Windows and macOS patches the bug. As is standard, Google will withhold full technical details until a majority of users have applied the fix, reducing the chance of exploitation.
What it means for you
For home users
If you use Chrome on Windows or macOS, the fix is rolling out automatically. Typically, Chrome updates silently in the background and applies on restart. To check your version, go to chrome://settings/help. If it says version 150.0.7871.47 or later, you’re safe. If not, click “Relaunch” to finish updating.
The sandbox escape risk underscores why staying current is critical. Even if you practice safe browsing, a compromise could occur through no fault of your own—vulnerabilities like this can be triggered by malicious ads, compromised sites, or even man-in-the-middle attacks on unsecured networks.
For enterprise administrators
IT admins managing Chrome deployments need to push this update urgently. The sandbox escape vector makes it a high-priority patch. Use your update management tools (Group Policy, SCCM, Jamf, etc.) to enforce the latest stable version. Chrome’s policy templates allow you to manage automatic updates and version targets.
The update does not require a restart of the entire machine, but users will need to restart Chrome. Encourage them to do so promptly. For environments with strict control, you can verify the installed version across endpoints via the management console.
For developers
If you embed Chromium or the Chromecast protocol in your own applications, investigate whether the vulnerability applies. The patch is in the underlying Chromium code as well, so downstream projects may need to integrate it. Check the Chromium issue tracker for details on the commit.
How we got here: Chrome sandbox escapes and integer overflows
Chrome’s sandbox is a cornerstone of its security model. It restricts the renderer process—where web content executes—from directly accessing the file system, network, or other system resources. Instead, communication happens through a broker process. Escaping the sandbox typically requires a second vulnerability, like a kernel bug or a flaw in the sandbox implementation itself.
Sandbox escapes are rare but not unprecedented. In 2021, a critical vulnerability (CVE-2021-37973) in the Portals API allowed escape. In 2023, another sandbox escape via the File System Access API was patched. Each time, the severity was high because it breaks the primary security boundary.
Integer overflows have been a longstanding class of software defects. When a program attempts to store a number too large for its data type, the value may wrap around, leading to unexpected behavior. In C/C++—the languages Chromium is written in—this can cause buffer overflows, enabling attackers to overwrite memory and execute arbitrary code.
The Chromecast component has had previous issues. In 2019, a serious vulnerability in the Chromecast built-in service allowed remote attackers to play arbitrary media. While that wasn’t a sandbox escape, it highlighted that the casting functionality adds attack surface.
We don’t yet know how CVE-2026-13796 was discovered. Google often credits external researchers through its Vulnerability Reward Program. The fact that it was patched in a routine stable channel update—not an emergency out-of-cycle patch—suggests it wasn’t under active exploitation at the time, though that can’t be ruled out.
What to do now
Check your Chrome version. Open Chrome, click the three-dot menu > Help > About Google Chrome. The version number and update status appear. If you see 150.0.7871.47 or later, you’re patched.
If not updated, relaunch Chrome. Usually, the update downloads automatically. Click “Relaunch” to finish. If you don’t see an update, you can download the latest installer from google.com/chrome.
Turn on automatic updates if disabled. Chrome updates by default, but some users or corporate policies disable it. In enterprise, ensure your policy templates allow automatic updates and that they’re not blocked by firewalls or offline management.
Scan for suspicious activity. While no exploits are known, it’s good practice to monitor for unusual behavior. For enterprises, EDR tools can detect abnormal process activity that might indicate sandbox escape exploitation.
Apply updates to all Chromium-based browsers. If you use Microsoft Edge, Brave, Opera, or others, check for updates; they will likely incorporate this fix in upcoming releases. Each browser has its own update mechanism.
Remain vigilant. Attackers often target windows between disclosure and patching. Even though this was fixed before public disclosure, some might reverse-engineer the patch to create exploits. Keep your OS and other software patched to minimize impact if Chrome is compromised.
Outlook
Google will publish more details in the coming weeks as the patch reaches a wider audience. The Chromium project’s transparency means security researchers can examine the code changes, which helps improve overall security but also gives attackers clues. Expect security firms to publish advisories soon.
Chrome’s rapid release cycle means version 151 will arrive in a few weeks with additional fixes and features. Meanwhile, the Chrome 150 milestone will receive further security updates if new vulnerabilities surface.
For now, apply the patch and continue treating web-based threats seriously. A patched browser is your first line of defense, but no single update is a silver bullet. Combine it with good security hygiene: use a password manager, enable two-factor authentication, and keep your operating system up to date.