Google shipped a targeted fix on June 30, 2026, addressing a medium-severity vulnerability in Chromium’s Paint component that could have let remote attackers spoof the browser’s interface. The update, Chrome 150.0.7871.47, patches CVE-2026-13979, a flaw that, if exploited, might trick users into trusting fake dialog boxes or status indicators.

What changed in Chrome 150.0.7871.47

CVE-2026-13979 sits inside the Chromium Paint code, which handles how the browser composites and draws everything you see—tabs, address bar, download prompts, and permission pop-ups. A crafted website could manipulate the rendering pipeline to overlay fake UI elements on top of genuine ones, or alter the appearance of existing elements to misrepresent their origin.

The flaw was disclosed on June 30, 2026, alongside the stable channel update. Google’s advisory categorizes it as medium severity, the company’s third-highest rating, reserved for bugs that can cause limited harm or require user interaction. No details about active exploitation have been released, and Google has not yet shared the bug bounty amount awarded to the external researcher who reported the issue.

For everyday users, the most tangible change is a bump in the version string: check chrome://settings/help and you should see 150.0.7871.47 for Windows, with corresponding builds rolling out for macOS and Linux. There are no new features or interface changes in this release—it is purely a security patch.

What it means for you

For home users

If you have Chrome’s automatic updates enabled—the default—the browser will download and apply the new version silently over the coming days. The update takes effect the next time you restart Chrome. Look for the “Update” button in the upper-right corner to accelerate the process: a green, orange, or red arrow signals that a new version is waiting.

In practice, CVE-2026-13979 makes it easier for malicious sites to present fake UI that mimics legitimate browser warnings. A spoofed “Your connection is secure” indicator or a phony notification about a system error could convince you to click a dangerous link, enter credentials, or install malware. The classic example is a fraudulent “Update Chrome to continue” pop-up that actually downloads a malicious executable. Because the Paint flaw works at a low rendering level, even security-conscious users might be deceived, as the fake elements can appear pixel-perfect.

This type of attack requires you to visit a booby-trapped site, and often it must be combined with social engineering. There’s no evidence yet that the bug has been abused in the wild, but given how quickly exploit code can be developed after a public disclosure, the safest approach is to treat any browser UI that looks unusual or asks for sensitive actions with suspicion until you’ve confirmed you’re on the latest version.

For IT administrators

In managed environments, you’ll want to prioritize this patch even though the severity is “medium” because UI spoofing can be a stepping stone to credential theft. Google’s usual rollout timeline means the update reaches most endpoints within a week, but you can force an immediate push via your update management tool or Group Policy.

Key points for deployment:

  • The Windows MSI installer for 150.0.7871.47 should already be available in your usual distribution point. If you use Google Update policies, verify that “Auto-update check period override” is not set to an excessively long interval.
  • For enterprises that block external downloads, stage the update internally using the offline installer downloadable from Google’s enterprise site.
  • Check your endpoint protection dashboard for any alerts that correlate with unusual Chrome process behavior in the Paint subsystem. While no known exploits are in circulation, monitoring can catch early signs of a campaign.

For developers

Web developers who rely on headless Chromium or embed the browser in Electron-based applications should rebuild their projects with the updated Chromium engine as soon as it reaches the corresponding release channel. Electron versions that bundle the older Chromium may inherit the vulnerability and expose their users to spoofed UI, especially in apps that display privileged system prompts. Track the Electron release schedule to know when a patched build is available.

How we got here

CVE-2026-13979 is the latest in a long line of Chromium rendering flaws that enable UI spoofing. In 2024, researchers demonstrated an address-bar spoofing bug (CVE-2024-5274) that allowed a site to show a false URL after a page had fully loaded. Earlier this year, a similar Paint-related vulnerability (CVE-2026-11392) let attackers hide the secure connection indicator completely.

Chrome’s multi-process architecture and sandboxing typically prevent these rendering bugs from spilling over into code execution, but they remain valuable to attackers because they directly undermine user trust. Google’s security team rewards such reports through the Chrome Vulnerability Reward Program, often paying between $1,000 and $5,000 for medium-severity UI issues, depending on the quality of the proof of concept.

The release of 150.0.7871.47 follows the standard six-week major-release cadence. Chrome 150 itself landed on June 23, 2026, introducing a handful of new CSS features and a redesigned download bubble. The .7871.47 refresh is an out-of-cycle point-release, meaning the flaw was deemed important enough to warrant a dedicated fix rather than waiting for the next scheduled stable update (Chrome 151, due in early August).

What to do now

1. Update immediately
Go to chrome://settings/help and click “Relaunch” when the update is ready. If you haven’t restarted Chrome in a while, you might see a pending update for an earlier version—apply that first, then check again.

2. Enable enhanced protection (optional)
While it won’t retroactively fix the Paint bug, Chrome’s Enhanced Safe Browsing mode (chrome://settings/security) sends URLs to Google for real-time analysis and can block many phishing sites before they load. This provides a second layer of defense while the patch reaches all users.

3. Harden browser settings
Under chrome://settings/content/notifications, set “Sites can ask to send notifications” to “Don’t allow sites to send notifications” or at least block requests from unfamiliar sources. Many UI-spoofing attacks rely on push-notification permission prompts to display fake system dialogs. Limiting notifications reduces the attack surface.

4. For system administrators
Push the update through your RMM or MDM platform. If you use third-party patching tools, confirm they ingested the new Chrome release within the first 24 hours. For machines that must stay on older versions due to compatibility, apply a browser isolation policy or restrict those machines to trusted intranet sites until a full deployment is possible.

5. Stay informed
Bookmark the Chrome Releases blog and the Chromium security page. For CVE-specific discussions, the oss-security mailing list often carries detailed technical analysis a few weeks after disclosure.

Outlook

Google has not indicated any other vulnerabilities fixed in the 150.0.7871.47 point release, so for now CVE-2026-13979 is the sole driver of this update. If exploit code does surface, expect a follow-up release or an update to Chrome’s internal rate-limiting to quash it. As always, a prompt update is the cheapest insurance against these polished, hard-to-spot UI tricks.