Google has pushed out Chrome 150.0.7871.47 for macOS to address CVE-2026-13974, a zero-day-level integer overflow in the browser’s Safe Browsing component that could let remote attackers bypass security warnings and trick users into visiting malicious websites. While the advisory is macOS-specific, all Chrome users should verify they’re running the latest version, as similar under-the-hood fixes often accompany cross-platform releases.
What CVE-2026-13974 Means for Chrome’s Defenses
CVE-2026-13974 targets the Safe Browsing engine—Google’s cloud-powered shield that checks every URL you visit against constantly updated lists of malware, phishing, and unwanted software sites. When you click a dangerous link, Safe Browsing throws up a bright red warning screen that blocks access unless you explicitly choose to proceed. It’s a protective layer that runs silently billions of times a day across Chrome, Firefox, and other browsers that license the technology.
An integer overflow in the code that processes these safety verdicts is particularly dangerous. Integer overflows happen when a calculation produces a value too large for the allocated memory space, causing it to wrap around to an unexpected small number or corrupt adjacent memory. In Safe Browsing’s case, such corruption could scramble the logic that decides whether to show the warning, effectively rendering it invisible. An attacker who crafts a URL designed to trigger this overflow could direct you to a fake banking site or malware download page with no visual cue of danger.
Google has classified the vulnerability as remotely exploitable with no user interaction beyond visiting a laced link—often a hallmark of “drive-by” attacks. The company is withholding deep technical details to prevent active exploitation before most users are patched, but the CVE’s description confirms that a successful exploit bypasses navigation warnings entirely. That’s a critical failure of a fundamental security promise Chrome makes to its users.
Who Needs to Update—And Why Windows Users Shouldn’t Ignore This
The official advisory from Google names macOS and Chrome version 150.0.7871.47 specifically. That likely reflects where the vulnerability was discovered, reported, or initially confirmed. However, the Chromium engine that underpins Chrome is cross-platform by design: the same core code runs on Windows, macOS, Linux, Android, and ChromeOS. When a security patch lands in one release branch, identical or analogous fixes almost always land in the parallel builds for other operating systems.
If you check your Windows or Linux installation right now, you’ll probably see Chrome 150.0.7871.47 (or a very close minor revision like .48) offered or already installed. The delta between platform-specific version numbers is typically just a build stamp that reflects the compilation environment—not a sign of missing patches. Google often consolidates security updates into a single release that ships across all desktop platforms, even when the primary advisory highlights one OS.
So while CVE-2026-13974 is tagged “macOS” in its headline, the safe move is to assume that every Chrome user benefits from the fix. Running an outdated browser is a standing invitation to drive-by attacks, and Safe Browsing bypass vulnerabilities are prized by cybercriminals precisely because they undermine the browser’s first line of defense.
How We Got Here: The Patch Pipeline and a History of Safe Browsing Flaws
Chrome’s release cycle is one of the fastest in the industry. New major versions appear roughly every four weeks, and stable channel updates land as soon as the code passes Google’s automated testing and human review. When a serious security bug surfaces—especially one that qualifies for a CVE—the engineering team spins an out-of-band release or rolls the fix into the next scheduled stable update. Version 150.0.7871.47 is a stable channel release, meaning it went through Google’s full pipeline before being pushed to users.
Safe Browsing has been a feature since 2007, and over the years it has been hardened against dozens of bypass attempts. In 2022, for example, a vulnerability allowed crafted HTML to fool Safe Browsing into whitelisting a phishing page. In 2023, another bug let scripts intercept the warning page and replace it with benign content. The common thread is that these flaws are not about breaking out of the browser sandbox or gaining system-level access; instead, they neutralize a psychological safety net that millions of people trust to tell them “this site may be dangerous.” For many users, that warning is the only difference between entering their credentials on a legitimate bank login and handing them to a fake site.
The integer overflow described in CVE-2026-13974 fits a pattern of logic bugs in the safety-checking code. Unlike memory-corruption flaws that are progressively being wrapped in sandbox mitigations, logic flaws can slip past many automated defenses because the code still executes—it just produces the wrong result. Google’s internal fuzzing tools and the Chrome Vulnerability Rewards Program are designed to catch these, but no system is perfect.
What to Do Now: Update Chrome and Lock Down Your Settings
1. Force an immediate update (all platforms)
Open Chrome, click the three-dot menu in the top-right corner, choose Help > About Google Chrome. The browser will check for the latest version and download it automatically. Once the download finishes, click Relaunch to complete the update. After restarting, verify the version number: click the same path and you should see 150.0.7871.47 (or later) on macOS, and a build like 150.0.7871.48 on Windows.
2. Turn on Enhanced Safe Browsing
While standard Safe Browsing checks URLs against an on-device list, Enhanced Safe Browsing sends real-time data to Google for deeper analysis. The trade-off is sending more browsing information, but the protection against fresh threats is markedly better. Go to Settings > Privacy and Security > Security, and select Enhanced protection. This setting is a strong defense against zero-day phishing and malware campaigns that might exploit similar vulnerabilities.
3. Enable auto-updates if they’re off
Chrome installs background services to keep itself current, but IT policies, third-party “optimizer” tools, or manual changes can disable them. In the same About page, you should see “Chrome is up to date” with a timestamp. If you see an error or a message that updates are disabled, investigate. On Windows, check that the Google Update service is running; on macOS, ensure you are not blocking Google Software Update.
4. If you manage devices, push the update now
For IT administrators, Google publishes MSI installers and group policy templates. The enterprise release notes for Chrome 150 will list all security fixes. Deploy the latest stable build across your fleet immediately, and audit browser versions to catch any machines that have fallen behind. For macOS endpoints, use your MDM to force the update or at the very least push a notification to users.
The Bigger Picture: Browsers as the New OS
We treat web browsers as if they were lightweight document viewers, but in truth they’ve become operating systems in their own right—executing complex JavaScript, rendering 3D graphics, and managing cryptographic keys. Each new feature added to Chrome expands the attack surface, and Safe Browsing remains a prime target because it’s the most visible signal of trust. When that signal fails, everything falls apart.
CVE-2026-13974 is a sharp reminder that updating within hours, not days, matters. Chrome’s silent update mechanism makes this easy for most people, but it’s not foolproof. The few who skip a reboot or have updates blocked by corporate policy are the ones most at risk.
Looking ahead, expect to see more CVE disclosures tied to navigation safety features. Google is investing heavily in on-device AI to detect phishing and malware patterns, but each new layer introduces its own potential for logic errors. The 150 milestone also brings other security improvements beyond this patch—tightened site isolation, smarter JavaScript dialog blocking, and performance optimizations that indirectly make the browser harder to exploit. Updating gets you all of those, plus the critical Safe Browsing fix.
The bottom line: check your version, hit relaunch, and sleep a little easier.