Google released Chrome version 150.0.7871 with a fix for CVE-2026-14023, a vulnerability in the SanitizerAPI that an attacker could exploit to bypass same-origin restrictions. The company rated the flaw as medium severity, but its potential to undermine a core browser security boundary makes it a priority update for Windows users.
A flaw in the HTML sanitizer opened a door across origins
The vulnerability resided in the SanitizerAPI, a relatively new browser feature designed to strip potentially dangerous elements from untrusted HTML strings before they reach the DOM. A validation weakness meant that a carefully constructed HTML page could trick the browser into treating content from different websites as if it came from the same source—effectively punching a hole in the same-origin policy.
Same-origin protection keeps scripts on one site from accessing sensitive data on another, such as cookies, local storage, or page content. A bypass here lets an attacker-controlled page read information from a victim’s open tabs or inject scripts into a legitimate site’s context, potentially capturing login credentials or session tokens.
According to the Chromium project’s advisory, the flaw could be triggered when a user visited a malicious page that served crafted HTML. No user interaction beyond the visit was required. Google’s security team credited an external researcher for discovering and reporting the issue, though the company has withheld further technical specifics to give users time to patch.
What this means for you
For everyday Windows users: If you use Chrome or any Chromium-based browser (Edge, Brave, Opera, Vivaldi), this bug weakens the isolation that keeps a banking tab safe from a random blog open in another tab. An attacker could host a page on a domain they control and, silently in the background, read data from a high-value site you’re logged into. The fix blocks that attack vector.
For IT administrators and power users: The issue is especially relevant in environments where users juggle multiple corporate web applications in the same browser. A same-origin bypass could allow an attacker to steal session tokens for internal tools or cloud services. Deploying the update promptly is essential, particularly in regulated industries.
For developers: The SanitizerAPI is still evolving. This flaw underscores the risk of relying on early-adopted browser APIs for security-critical operations without additional defense-in-depth layers. Developers who use the SanitizerAPI to filter user-generated content should validate that the underlying trust model remains sound after this fix.
How we got here
The SanitizerAPI was introduced in Chrome 105 (August 2022) as a built-in mechanism to clean HTML without dragging in a third-party library like DOMPurify. Its goals: prevent DOM-based cross-site scripting (XSS) attacks while keeping operations fast and native. The API’s design centers on a strict set of allowlists that remove script execution paths.
CVE-2026-14023 represents the first publicly disclosed same-origin bypass linked to the SanitizerAPI. Earlier vulnerabilities in the API were mainly around XSS bypasses in the sanitizer’s output or nuances with mutation events. This one targets the foundational trust model itself. Google’s medium severity rating reflects the practical difficulty of exploitation—an attacker needs to craft a page that interacts with a user’s other tabs in a specific way—but the potential impact on data confidentiality bumps its urgency.
The fix ships in Chrome 150 on Windows, Mac, Linux, and Android. The version number 150.0.7871 indicates a stable channel release that bundles multiple security patches alongside this one. Chromium-based browsers will integrate the fix in their own update cadence; Microsoft Edge typically merges such fixes within a day.
What to do now
- Update Chrome immediately. Open Chrome, click the three-dot menu, go to Help > About Google Chrome. The browser will download and install 150.0.7871 (or later). Relaunch when prompted.
- Close and reopen other Chromium browsers. Edge, Brave, Opera, and others will release updated versions in lockstep. Check each browser’s help menu for the latest version number and trigger an update manually if automatic updates are paused.
- Restart the browser after updating. Even after the update installs, any pre-existing processes might keep the old, vulnerable SanitizerAPI logic active. A full browser restart ensures the new code takes effect.
- Check for enterprise deployments. If your organization uses group policies to manage Chrome updates, verify that the latest stable release has been approved and pushed to endpoints. Microsoft Intune and SCCM can report Chrome versions fleet-wide.
- Enable additional site isolation if you haven’t already. Chrome’s strict site isolation feature (chrome://settings/content/site-isolation) adds a hardware-level separation between origins. It can mitigate similar attacks even before patches arrive. This is on by default for most users but can be verified in the settings.
The outlook
The patch for CVE-2026-14023 highlights the hidden complexity of web platform security. As browser vendors add more built-in security APIs, the attack surface shifts from applications to the platform itself. For users, the rhythm remains unchanged: update fast and restart the browser. Google has not reported any active exploitation in the wild, but the window between disclosure and attackers reverse-engineering the patch is always small. For developers, the episode is a reminder that security boundaries need constant scrutiny, even when the API promises to handle the dirty work.
Next, watch for a more detailed technical breakdown from Google’s security team once the update reaches broad adoption. In the meantime, keeping Chrome current remains the simplest defense.