Google has released an urgent update for Chrome on macOS to close a security hole tracked as CVE-2026-13975. The fix arrives in version 150.0.7871.47, and anyone running the browser on a Mac should install it immediately. Windows systems are not named in the advisory, but the update still carries a clear reminder for every Chrome user: staying current is the single most effective defense against drive-by attacks.
What just happened
On [date not specified in advisory], security researchers flagged a vulnerability in Google Chrome for macOS. Details are sparse — Google typically withholds technical specifics until a majority of users have patched — but the CVE entry makes one thing plain: all versions of Chrome on the Mac released before 150.0.7871.47 are vulnerable. The fix is bundled into the stable channel update that pushes the browser to that exact build.
Chrome updates normally roll out silently in the background. When you restart the browser, the new version takes effect. This particular release, however, carries an out-of-band urgency. CVE-2026-13975 is not a routine patch; it corrects a flaw severe enough to warrant a dedicated warning. The absence of an in-the-wild exploit mention does not lower the risk — many Chrome zero-days are exploited before public disclosure.
Does this affect Windows?
The advisory is explicit: Windows is not listed as an affected platform. That means the underlying bug — whether it's a memory corruption, a sandbox escape, or a privilege escalation — either does not exist in the Windows codebase or is not exploitable there. Chrome shares most of its engine across operating systems, but platform-specific components (like sandboxing rules, GPU process integration, or font rendering) occasionally introduce OS-only vulnerabilities.
Still, Windows users should not shrug off the alert. Chrome 150.0.7871.47 is a unified release. The same version number ships for Windows, Linux, and Android at roughly the same time. While the marquee CVE-2026-13975 fix doesn't touch Windows bits, the update almost certainly bundles other security improvements and bug fixes that apply to every platform. Google publishes a list of security fixes in its Chrome Releases blog; even when a CVE isn't flagged for Windows, the changelog often includes "various fixes from internal audits" or lower-severity patches that hardened the browser.
For Windows power users and IT admins who manage fleets of Chrome installations, the takeaway is twofold: first, confirm that your Windows endpoints are running the latest build; second, recognize that a Mac-only CVE can be a harbinger of similar flaws being discovered in other platforms. Browsers are too complex to assume isolation.
How we got here
Chrome's security machinery is built on a rapid release cycle. A new major version arrives every four weeks, with minor stable channel refreshes appearing roughly every two weeks. When a critical bug is discovered — often by Google's own Project Zero, external researchers, or through the Vulnerability Reward Program — the fix is landed in the Canary and Dev channels, tested, and then merged into the stable branch. Timelines compress to days when an exploit is already active.
CVE-2026-13975 fits a pattern: a platform-specific bug that likely stemmed from an interaction between Chrome's multi-process architecture and macOS-specific APIs. Over the past several years, similar macOS-only vulnerabilities have appeared. In 2024, CVE-2024-5274 (a type confusion in V8) shipped as a Mac-only emergency patch; in 2023, CVE-2023-3079 affected only Mac and Linux. Each instance reminds us that even a cross-platform browser can harbor OS-specific weaknesses.
For IT professionals, this history underscores why unified update policies matter. A vulnerability that today targets macOS could tomorrow be adapted to Windows or Android. The Chrome release cycle is designed to deliver fixes before that adaptation happens, but only if every device in your environment actually receives the update.
What to do now
If you're a home user on any platform:
- Check your Chrome version. Click the three-dot menu → Help → About Google Chrome. The browser will automatically check for updates and display the current version. Look for 150.0.7871.47 or higher.
- Relaunch Chrome. If an update is pending, you'll see a "Relaunch" button. Save your work and click it. Some updates require a full browser restart to take effect.
- Enable automatic updates. Chrome handles this by default, but you can confirm by ensuring that Google Update services are running. On Windows, type "Services" in the Start menu, locate "Google Update Service (gupdate)" and confirm it's set to Automatic. On Mac, the process is managed by Google Software Update, which runs via a background scheduler.
If you're a Windows administrator managing enterprise Chrome deployments:
- Verify your distribution point. If you push Chrome via Group Policy, SCCM, or Intune, ensure that the latest MSI or package is being deployed. The stable channel MSI is available from Google's enterprise download page; check that the file version matches 150.0.7871.47.
- Audit endpoints. Use your management console to scan for machines still running older builds. Prioritize any box that has had Chrome open for more than a week without a restart — background updates require a relaunch to activate.
- Tighten Group Policy. Even though Windows isn't directly affected by CVE-2026-13975, configure Chrome's update policies to minimize lag. Set "Allow installation via Component Updates" and "RelaunchNotificationPeriod" to force restarts within a reasonable window (e.g., 24 hours) after a critical update.
If you're a developer working across platforms:
- Test your web app on 150.0.7871.47. Even minor security patches can alter rendering behavior or deprecate a fragile feature. Run your CI suite against the new build.
- Watch the release notes. Google will eventually publish a detailed bulletin for this version on the Chrome Releases blog. The post typically includes links to the relevant code reviews, which can help you understand if any JavaScript engine or Web API changes were introduced.
Outlook
Google hasn't indicated whether CVE-2026-13975 was exploited before the patch. Historically, details emerge within days or weeks as researchers publish analyses or the bug bounty program reveals its credits. Windows users should monitor the Chrome Releases blog for the final bulletin, because it may disclose additional fixes that affect all platforms.
In the meantime, the quickest way to protect every device — Mac, Windows, Linux, Android, or iOS — is to treat every Chrome update as mandatory. Browsers sit at the intersection of user data and the open web; a single unpatched vulnerability can undermine every other security layer. The distinction between "affects Mac" and "affects Windows" matters less than whether your browser is running the latest code.