Google has pushed out a critical update for Chrome on macOS, patching a high-severity vulnerability that could let a remote attacker hijack your computer simply by luring you to a booby-trapped website. The fix, delivered in Chrome version 150.0.7871.46, addresses a heap buffer overflow tracked as CVE-2026-14385, which earned a “High” severity rating from Google’s security team.

The Specifics of the Chrome macOS Update

The update is specifically for macOS users running Chrome versions prior to 150.0.7871.46. According to the official release notes, a remote attacker could exploit this heap overflow through a crafted HTML page, potentially gaining the ability to execute arbitrary code on the victim’s machine. Heap buffer overflows occur when a program writes more data to a block of memory than it has allocated, potentially allowing an attacker to overwrite adjacent memory and hijack execution flow. In Chrome, such flaws often reside in the rendering or JavaScript engine, triggered by malicious web content.

Google hasn’t disclosed the exact technical details of the vulnerability—standard practice to give users time to patch before in-depth exploit information becomes public. The bug was rated High rather than Critical, which typically indicates it either affects only one platform (in this case, macOS) or requires additional user interaction. However, a High rating still signifies a serious threat: successful exploitation could grant an attacker the same privileges as the current user, enabling installation of malware, data theft, or complete system compromise.

Who Is at Risk and What’s the Real Danger?

Any Mac user who hasn’t updated Chrome to 150.0.7871.46 is vulnerable. This includes home users, students, and professionals. The danger escalates quickly: a heap buffer overflow can lead to remote code execution with minimal user interaction—often just visiting a compromised website or clicking a malicious link. In a worst-case scenario, an attacker could silently take over the machine, disable security software, or exfiltrate sensitive files.

IT administrators overseeing fleets of Macs face amplified risk. A single unpatched browser can become an entry point for lateral movement across a corporate network. Even if endpoint detection and response tools are in place, a memory corruption bug in a widely used application like Chrome can sometimes bypass isolated protections. Enterprises relying on managed Chrome deployments should consider this update an urgent priority.

The Backstory: How This Flaw Was Discovered

While Google hasn’t provided a detailed timeline, typical Chrome vulnerabilities are discovered through its Vulnerability Reward Program or internal fuzz testing. CVE-2026-14385 is a classic heap buffer overflow, a type of memory safety bug that has plagued C and C++ software for decades. Despite Chrome’s robust security architecture—including sandboxing, site isolation, and ahead-of-time compilation—no defense is impenetrable. Sometimes a flaw in a platform-specific component, like the macOS graphics stack or sandbox integration, slips through.

This isn’t the first high-severity macOS-specific heap overflow in Chrome. In recent years, Google has patched several similar bugs, often with rapid turnaround. Chrome’s six-week release cycle, supplemented by bi-weekly security updates, means that once a vulnerability is confirmed, a fix usually arrives within days. For users who keep automatic updates enabled, the patch will install seamlessly in the background; but manual verification is the surest way to close the window of exposure right now.

Why macOS Users Must Take This Seriously

There’s a lingering myth among Mac users that the platform is inherently more secure than Windows. While macOS benefits from strong system-level protections like System Integrity Protection and Gatekeeper, the browser remains a common attack vector regardless of OS. Modern threats cross platform boundaries effortlessly, and Chrome’s massive codebase—shared with Chromium, Brave, Edge, and others—means a single bug can echo across ecosystems.

In this case, the vulnerability is confined to macOS, which suggests it lives in code that is platform-specific. That could be anything from memory allocation routines that differ from Linux or Windows to hooks in the macOS graphics subsystem. Whatever the origin, the net effect is that Mac users are the exclusive target. Attackers who craft exploits for this flaw will be aiming directly at the Apple ecosystem.

How to Update Chrome on Your Mac Right Now

If you’re a home user, updating is straightforward:

  1. Open Chrome.
  2. Click the three-dot menu in the top-right corner.
  3. Hover over Help and click About Google Chrome.
  4. Chrome will automatically check for updates. If an update is available, it will start downloading.
  5. Once the download completes, click Relaunch to restart the browser with the new version.

After relaunching, verify the version: go back to About Google Chrome and ensure it reads “Google Chrome is up to date – Version 150.0.7871.46 (Official Build) (x86_64)” or the arm64 equivalent for Apple Silicon Macs.

For IT administrators managing multiple Macs, manual updates don’t scale. Use your mobile device management (MDM) or endpoint management platform—Jamf, Kandji, Addigy, or similar—to force install the latest Chrome version. Many tools let you set minimum version requirements and automatically push updates. Google’s Chrome Enterprise release notes provide installation packages and policies tailored for managed environments. If you’re using Chrome’s Legacy Browser Support or cloud-managed Chrome, verify that your policies are set to “Always allow updates” and that version reporting is enabled.

What Comes Next

Google typically releases additional technical details about high-severity flaws a few weeks after the patch ships, once the majority of users have updated. Security researchers may also publish proof-of-concept code. While no active exploitation has been confirmed at the time of writing, the clock is ticking. Chrome’s automatic update mechanism will roll this out to most users within days, but you shouldn’t wait. Open the About box right now and click update.

We’ll continue monitoring Google’s advisory and any follow-up reports. In the meantime, making browser updates a daily habit—checking every morning if you rely heavily on Chrome—is one of the simplest and most effective security practices you can adopt on any platform.